
<!DOCTYPE HTML>
<html lang="zh-hans" >
    <head>
        <meta charset="UTF-8">
        <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
        <title>iptables · AGou's StudyNote</title>
        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
        <meta name="description" content="">
        <meta name="generator" content="GitBook 3.2.3">
        <meta name="author" content="AGou">
        
        
    
    <link rel="stylesheet" href="../gitbook/style.css">

    
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-anchors/plugin.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-tbfed-pagefooter/footer.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-expandable-chapters-small/expandable-chapters-small.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-anchor-navigation-ex/style/plugin.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-prism/prism-tomorrow.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-insert-logo/plugin.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-search-pro/search.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-splitter/splitter.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-lightbox/css/lightbox.min.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-donate/plugin.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-code/plugin.css">
                
            
                
                <link rel="stylesheet" href="../gitbook/gitbook-plugin-fontsettings/website.css">
                
            
        

    

    
        
    
        
    
        
    
        
    
        
    
        
    

        
    
    
    
    <meta name="HandheldFriendly" content="true"/>
    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
    <meta name="apple-mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-status-bar-style" content="black">
    <link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
    <link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">

    
    <link rel="next" href="Linux_shell.html" />
    
    
    <link rel="prev" href="SElinux.html" />
    

    <style>
    @media only screen and (max-width: 640px) {
        .book-header .hidden-mobile {
            display: none;
        }
    }
    </style>
    <script>
        window["gitbook-plugin-github-buttons"] = {"repo":"AGou-ops/myStudyNote","types":["star","watch","fork"],"size":"small"};
    </script>

    </head>
    <body>
        
<div class="book">
    <div class="book-summary">
        
            
<div id="book-search-input" role="search">
    <input type="text" placeholder="输入并搜索" />
</div>

            
                <nav role="navigation">
                


<ul class="summary">
    
    
    
        
        <li>
            <a href="http://agou-ops.github.io" target="_blank" class="custom-link">◆点击进入我的个人博客</a>
        </li>
    
    

    
    <li class="divider"></li>
    

    
        
        
    
        <li class="chapter " data-level="1.1" data-path="../">
            
                <a href="../">
            
                    
                        <b>1.1.</b>
                    
                    关于我
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2" data-path="../Program_lang/">
            
                <a href="../Program_lang/">
            
                    
                        <b>1.2.</b>
                    
                    编程语言
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.2.1" data-path="../Program_lang/Python.html">
            
                <a href="../Program_lang/Python.html">
            
                    
                        <b>1.2.1.</b>
                    
                    Python
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.2" data-path="../Program_lang/Java.html">
            
                <a href="../Program_lang/Java.html">
            
                    
                        <b>1.2.2.</b>
                    
                    Java
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.2.3" data-path="../Program_lang/Splash_Lua.html">
            
                <a href="../Program_lang/Splash_Lua.html">
            
                    
                        <b>1.2.3.</b>
                    
                    Splash_Lua
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.3" data-path="../Database/">
            
                <a href="../Database/">
            
                    
                        <b>1.3.</b>
                    
                    数据库
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.3.1" data-path="../Database/Mysql、MariaDB/README.md">
            
                <span>
            
                    
                        <b>1.3.1.</b>
                    
                    Mysql/MariaDB
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.3.1.1" data-path="../Database/Mysql、MariaDB/MySQL、MariaDB基础.html">
            
                <a href="../Database/Mysql、MariaDB/MySQL、MariaDB基础.html">
            
                    
                        <b>1.3.1.1.</b>
                    
                    MySQL/MariaDB基础
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.1.2" data-path="../Database/Mysql、MariaDB/php-mysql.html">
            
                <a href="../Database/Mysql、MariaDB/php-mysql.html">
            
                    
                        <b>1.3.1.2.</b>
                    
                    php-mysql
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.3.2" data-path="../Database/MongoDB.html">
            
                <a href="../Database/MongoDB.html">
            
                    
                        <b>1.3.2.</b>
                    
                    MongoDB
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.3.3" data-path="../Database/Redis.html">
            
                <a href="../Database/Redis.html">
            
                    
                        <b>1.3.3.</b>
                    
                    Redis
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.4" data-path="./">
            
                <a href="./">
            
                    
                        <b>1.4.</b>
                    
                    Linux
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.4.1" data-path="Linux基础.html">
            
                <a href="Linux基础.html">
            
                    
                        <b>1.4.1.</b>
                    
                    Linux基础
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.2" data-path="Linux启动流程、内核、grub、模块、内核的编译、anaconda自动化.html">
            
                <a href="Linux启动流程、内核、grub、模块、内核的编译、anaconda自动化.html">
            
                    
                        <b>1.4.2.</b>
                    
                    Linux启动流程、内核、grub、模块等
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.3" data-path="Linux服务器.html">
            
                <a href="Linux服务器.html">
            
                    
                        <b>1.4.3.</b>
                    
                    Linux服务器
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.4" data-path="Linux状态信息.html">
            
                <a href="Linux状态信息.html">
            
                    
                        <b>1.4.4.</b>
                    
                    Linux状态信息
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.5" data-path="Linux网络客户端工具.html">
            
                <a href="Linux网络客户端工具.html">
            
                    
                        <b>1.4.5.</b>
                    
                    Linux网络客户端工具
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.6" data-path="Linux网络配置.html">
            
                <a href="Linux网络配置.html">
            
                    
                        <b>1.4.6.</b>
                    
                    Linux网络配置
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.7" data-path="Linux配置文件.md">
            
                <span>
            
                    
                        <b>1.4.7.</b>
                    
                    Linux配置文件
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.8" data-path="Linux时间服务器.html">
            
                <a href="Linux时间服务器.html">
            
                    
                        <b>1.4.8.</b>
                    
                    Linux时间服务器
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.9" data-path="Linux日志管理系统.html">
            
                <a href="Linux日志管理系统.html">
            
                    
                        <b>1.4.9.</b>
                    
                    Linux日志管理系统
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.10" data-path="sudo详解.html">
            
                <a href="sudo详解.html">
            
                    
                        <b>1.4.10.</b>
                    
                    sudo详解
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.11" data-path="SElinux.html">
            
                <a href="SElinux.html">
            
                    
                        <b>1.4.11.</b>
                    
                    SELinux
            
                </a>
            

            
        </li>
    
        <li class="chapter active" data-level="1.4.12" data-path="iptables.html">
            
                <a href="iptables.html">
            
                    
                        <b>1.4.12.</b>
                    
                    iptables
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.13" data-path="Linux_shell.html">
            
                <a href="Linux_shell.html">
            
                    
                        <b>1.4.13.</b>
                    
                    Linux Shell
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.14" data-path="shell_awk.html">
            
                <a href="shell_awk.html">
            
                    
                        <b>1.4.14.</b>
                    
                    shell_awk
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.15" data-path="OpenSSL、PKI搭建、算法.html">
            
                <a href="OpenSSL、PKI搭建、算法.html">
            
                    
                        <b>1.4.15.</b>
                    
                    OpenSSL、PKI搭建
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.16" data-path="DNS服务器.html">
            
                <a href="DNS服务器.html">
            
                    
                        <b>1.4.16.</b>
                    
                    DNS服务器
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.17" data-path="Frp内网穿透.html">
            
                <a href="Frp内网穿透.html">
            
                    
                        <b>1.4.17.</b>
                    
                    Frp内网穿透
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.4.18" data-path="Linux其他.md">
            
                <span>
            
                    
                        <b>1.4.18.</b>
                    
                    Linux其他
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.5" data-path="../Linux_FileSystem/">
            
                <a href="../Linux_FileSystem/">
            
                    
                        <b>1.5.</b>
                    
                    Linux文件系统
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.5.1" data-path="../Linux_FileSystem/FTP.html">
            
                <a href="../Linux_FileSystem/FTP.html">
            
                    
                        <b>1.5.1.</b>
                    
                    FTP
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.5.2" data-path="../Linux_FileSystem/SAMBA.html">
            
                <a href="../Linux_FileSystem/SAMBA.html">
            
                    
                        <b>1.5.2.</b>
                    
                    SAMBA
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.6" data-path="../Linux_Tools/">
            
                <a href="../Linux_Tools/">
            
                    
                        <b>1.6.</b>
                    
                    Linux工具
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.6.1" data-path="../Linux_Tools/fzf工具.html">
            
                <a href="../Linux_Tools/fzf工具.html">
            
                    
                        <b>1.6.1.</b>
                    
                    fzf工具
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.6.2" data-path="../Linux_Tools/工具集合.html">
            
                <a href="../Linux_Tools/工具集合.html">
            
                    
                        <b>1.6.2.</b>
                    
                    Linux工具集合
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.7" data-path="../WEB_Server/">
            
                <a href="../WEB_Server/">
            
                    
                        <b>1.7.</b>
                    
                    网站服务器
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.7.1" data-path="../WEB_Server/HTML基础.html">
            
                <a href="../WEB_Server/HTML基础.html">
            
                    
                        <b>1.7.1.</b>
                    
                    HTML基础
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.7.2" data-path="../WEB_Server/WEB基础.html">
            
                <a href="../WEB_Server/WEB基础.html">
            
                    
                        <b>1.7.2.</b>
                    
                    WEB基础
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.7.3" data-path="../WEB_Server/httpd.html">
            
                <a href="../WEB_Server/httpd.html">
            
                    
                        <b>1.7.3.</b>
                    
                    httpd/Apache
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.7.4" data-path="../WEB_Server/httpd.conf文件详解.html">
            
                <a href="../WEB_Server/httpd.conf文件详解.html">
            
                    
                        <b>1.7.4.</b>
                    
                    httpd.conf文件详解
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.7.5" data-path="../WEB_Server/Nginx.html">
            
                <a href="../WEB_Server/Nginx.html">
            
                    
                        <b>1.7.5.</b>
                    
                    Nginx
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.7.6" data-path="../WEB_Server/HTTP状态码-详情.html">
            
                <a href="../WEB_Server/HTTP状态码-详情.html">
            
                    
                        <b>1.7.6.</b>
                    
                    HTTP状态码-详情
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.8" data-path="../Common_Framework/">
            
                <a href="../Common_Framework/">
            
                    
                        <b>1.8.</b>
                    
                    常用框架
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.8.1" data-path="../Common_Framework/LNMP.html">
            
                <a href="../Common_Framework/LNMP.html">
            
                    
                        <b>1.8.1.</b>
                    
                    LNMP
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.8.2" data-path="../Common_Framework/LAMP.html">
            
                <a href="../Common_Framework/LAMP.html">
            
                    
                        <b>1.8.2.</b>
                    
                    LAMP
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.9" data-path="../Docker&K8s/">
            
                <a href="../Docker&K8s/">
            
                    
                        <b>1.9.</b>
                    
                    容器及容器编排
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.9.1" data-path="../Docker&K8s/Docker/Docker.html">
            
                <a href="../Docker&K8s/Docker/Docker.html">
            
                    
                        <b>1.9.1.</b>
                    
                    Docker
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.9.1.1" data-path="../Docker&K8s/Docker/Docker.html">
            
                <a href="../Docker&K8s/Docker/Docker.html">
            
                    
                        <b>1.9.1.1.</b>
                    
                    Docker
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.9.2" data-path="../Docker&K8s/K8s/">
            
                <a href="../Docker&K8s/K8s/">
            
                    
                        <b>1.9.2.</b>
                    
                    K8s
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.9.2.1" data-path="../Docker&K8s/K8s/K8s基础知识.html">
            
                <a href="../Docker&K8s/K8s/K8s基础知识.html">
            
                    
                        <b>1.9.2.1.</b>
                    
                    K8s基础知识
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.9.2.2" data-path="../Docker&K8s/K8s/K8s安装与部署.html">
            
                <a href="../Docker&K8s/K8s/K8s安装与部署.html">
            
                    
                        <b>1.9.2.2.</b>
                    
                    K8s安装与部署
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.10" data-path="../Git/">
            
                <a href="../Git/">
            
                    
                        <b>1.10.</b>
                    
                    Git
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.10.1" data-path="../Git/Git基础.html">
            
                <a href="../Git/Git基础.html">
            
                    
                        <b>1.10.1.</b>
                    
                    Git基础
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.10.2" data-path="../Git/GitLab服务器.html">
            
                <a href="../Git/GitLab服务器.html">
            
                    
                        <b>1.10.2.</b>
                    
                    GitLab服务器
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.11" data-path="../Windows/">
            
                <a href="../Windows/">
            
                    
                        <b>1.11.</b>
                    
                    Windows系统
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.11.1" data-path="../Windows/cmd命令.html">
            
                <a href="../Windows/cmd命令.html">
            
                    
                        <b>1.11.1.</b>
                    
                    cmd命令
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    
        <li class="chapter " data-level="1.12" data-path="../Vim.html">
            
                <a href="../Vim.html">
            
                    
                        <b>1.12.</b>
                    
                    Vim
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.13" data-path="../i3WM快捷键.html">
            
                <a href="../i3WM快捷键.html">
            
                    
                        <b>1.13.</b>
                    
                    i3WM快捷键
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.14" data-path="../ADB命令.html">
            
                <a href="../ADB命令.html">
            
                    
                        <b>1.14.</b>
                    
                    ADB命令
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.15" data-path="../Tmux.html">
            
                <a href="../Tmux.html">
            
                    
                        <b>1.15.</b>
                    
                    Tmux
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.16" data-path="../Kindle.html">
            
                <a href="../Kindle.html">
            
                    
                        <b>1.16.</b>
                    
                    Kindle越狱指南
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.17" data-path="../Other/">
            
                <a href="../Other/">
            
                    
                        <b>1.17.</b>
                    
                    Other
            
                </a>
            

            
            <ul class="articles">
                
    
        <li class="chapter " data-level="1.17.1" data-path="../Other/pandoc.html">
            
                <a href="../Other/pandoc.html">
            
                    
                        <b>1.17.1.</b>
                    
                    pandoc
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.17.2" data-path="../Other/jupyter&reveal.js.html">
            
                <a href="../Other/jupyter&reveal.js.html">
            
                    
                        <b>1.17.2.</b>
                    
                    jupyter & reveal.js
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.17.3" data-path="../Other/json.html">
            
                <a href="../Other/json.html">
            
                    
                        <b>1.17.3.</b>
                    
                    json
            
                </a>
            

            
        </li>
    
        <li class="chapter " data-level="1.17.4" data-path="../Other/Reveal_js.html">
            
                <a href="../Other/Reveal_js.html">
            
                    
                        <b>1.17.4.</b>
                    
                    Reveal_js
            
                </a>
            

            
        </li>
    

            </ul>
            
        </li>
    

    

    <li class="divider"></li>

    <li>
        <a href="https://www.gitbook.com" target="blank" class="gitbook-link">
            本书使用 GitBook 发布
        </a>
    </li>
</ul>


                </nav>
            
        
    </div>

    <div class="book-body">
        
            <div class="body-inner">
                
                    

<div class="book-header" role="navigation">
    

    <!-- Title -->
    <h1>
        <i class="fa fa-circle-o-notch fa-spin"></i>
        <a href=".." >iptables</a>
    </h1>
</div>




                    <div class="page-wrapper" tabindex="-1" role="main">
                        <div class="page-inner">
                            
<div id="book-search-results">
    <div class="search-noresults">
    
                                <section class="normal markdown-section">
                                
                                <div id="anchor-navigation-ex-navbar"><i class="fa fa-anchor"></i><ul><li><a href="#iptables&#x914D;&#x7F6E;">1. iptables&#x914D;&#x7F6E;</a></li><ul><li><a href="#&#x9632;&#x706B;&#x5899;&#x76F8;&#x5173;&#x77E5;&#x8BC6;">1.1. &#x9632;&#x706B;&#x5899;&#x76F8;&#x5173;&#x77E5;&#x8BC6;</a></li><li><a href="#iptables&#x57FA;&#x7840;">1.2. iptables&#x57FA;&#x7840;</a></li><ul><li><a href="#iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;">1.2.1. iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;</a></li><li><a href="#iptables&#x7684;&#x56DB;&#x8868;&#x4E94;&#x94FE;">1.2.2. iptables&#x7684;&#x56DB;&#x8868;&#x4E94;&#x94FE;</a></li><li><a href="#&#x8868;&#x4F18;&#x5148;&#x7EA7;">1.2.3. &#x8868;&#x4F18;&#x5148;&#x7EA7;</a></li><li><a href="#iptables&#x89C4;&#x5219;">1.2.4. iptables&#x89C4;&#x5219;</a></li></ul><li><a href="#iptables&#x89C4;&#x5219;&#x67E5;&#x8BE2;">1.3. iptables&#x89C4;&#x5219;&#x67E5;&#x8BE2;</a></li><li><a href="#iptables&#x89C4;&#x5219;&#x7BA1;&#x7406;">1.4. iptables&#x89C4;&#x5219;&#x7BA1;&#x7406;</a></li><ul><li><a href="#&#x94FE;&#x7BA1;&#x7406;&#x76F8;&#x5173;">1.4.1. &#x94FE;&#x7BA1;&#x7406;&#x76F8;&#x5173;</a></li><li><a href="#&#x89C4;&#x5219;&#x7BA1;&#x7406;&#x76F8;&#x5173;">1.4.2. &#x89C4;&#x5219;&#x7BA1;&#x7406;&#x76F8;&#x5173;</a></li><li><a href="#target&#x5904;&#x7406;&#x52A8;&#x4F5C;">1.4.3. target&#x5904;&#x7406;&#x52A8;&#x4F5C;</a></li><li><a href="#&#x6E05;&#x9664;&#x89C4;&#x5219;&#x76F8;&#x5173;">1.4.4. &#x6E05;&#x9664;&#x89C4;&#x5219;&#x76F8;&#x5173;</a></li></ul><li><a href="#&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;">1.5. &#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;</a></li><li><a href="#nat&#x8DEF;&#x7531;">1.6. NAT&#x8DEF;&#x7531;</a></li><ul><li><a href="#snat">1.6.1. SNAT</a></li><li><a href="#masquerade">1.6.2. MASQUERADE</a></li><li><a href="#dnat">1.6.3. DNAT</a></li></ul><li><a href="#iptables&#x5B9E;&#x4F8B;">1.7. iptables&#x5B9E;&#x4F8B;</a></li></ul></ul></div><a href="#iptables&#x914D;&#x7F6E;" id="anchorNavigationExGoTop"><i class="fa fa-arrow-up"></i></a><h1 id="iptables&#x914D;&#x7F6E;"><a name="iptables&#x914D;&#x7F6E;" class="anchor-navigation-ex-anchor" href="#iptables&#x914D;&#x7F6E;"><i class="fa fa-link" aria-hidden="true"></i></a>1. iptables&#x914D;&#x7F6E;</h1>
<h2 id="&#x9632;&#x706B;&#x5899;&#x76F8;&#x5173;&#x77E5;&#x8BC6;"><a name="&#x9632;&#x706B;&#x5899;&#x76F8;&#x5173;&#x77E5;&#x8BC6;" class="anchor-navigation-ex-anchor" href="#&#x9632;&#x706B;&#x5899;&#x76F8;&#x5173;&#x77E5;&#x8BC6;"><i class="fa fa-link" aria-hidden="true"></i></a>1.1. &#x9632;&#x706B;&#x5899;&#x76F8;&#x5173;&#x77E5;&#x8BC6;</h2>
<p>&#x4ECE;&#x903B;&#x8F91;&#x4E0A;&#x8BB2;&#xFF0C;&#x9632;&#x706B;&#x5899;&#x53EF;&#x4EE5;&#x5927;&#x4F53;&#x5206;&#x4E3A;&#x4E3B;&#x673A;&#x9632;&#x706B;&#x5899;&#x548C;&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;&#xFF1A;</p>
<ul>
<li><p>&#x4E3B;&#x673A;&#x9632;&#x706B;&#x5899;&#xFF1A;&#x9488;&#x5BF9;&#x4E8E;&#x5355;&#x4E2A;&#x4E3B;&#x673A;&#x8FDB;&#x884C;&#x9632;&#x62A4;&#xFF08;&#x9488;&#x5BF9;&#x4E2A;&#x4EBA;&#xFF09;</p>
</li>
<li><p>&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;&#xFF1A;&#x5F80;&#x5F80;&#x5904;&#x4E8E;&#x7F51;&#x7EDC;&#x5165;&#x53E3;&#x6216;&#x8FB9;&#x7F18;&#xFF0C;&#x9488;&#x5BF9;&#x4E8E;&#x7F51;&#x7EDC;&#x5165;&#x53E3;&#x8FDB;&#x884C;&#x9632;&#x62A4;&#xFF0C;&#x670D;&#x52A1;&#x4E8E;&#x9632;&#x706B;&#x5899;&#x80CC;&#x540E;&#x7684;&#x672C;&#x5730;&#x5C40;&#x57DF;&#x7F51;&#xFF08;&#x9488;&#x5BF9;&#x4E8E;&#x96C6;&#x4F53;&#xFF09;</p>
</li>
</ul>
<p>&#x4ECE;&#x7269;&#x7406;&#x4E0A;&#x8BB2;&#xFF0C;&#x9632;&#x706B;&#x5899;&#x53EF;&#x4EE5;&#x5206;&#x4E3A;&#x786C;&#x4EF6;&#x9632;&#x706B;&#x5899;&#x548C;&#x8F6F;&#x4EF6;&#x9632;&#x706B;&#x5899;&#xFF1A;</p>
<ul>
<li><p>&#x786C;&#x4EF6;&#x9632;&#x706B;&#x5899;&#xFF1A;&#x5728;&#x786C;&#x4EF6;&#x7EA7;&#x522B;&#x5B9E;&#x73B0;&#x90E8;&#x5206;&#x9632;&#x706B;&#x5899;&#x529F;&#x80FD;&#xFF0C;&#x53E6;&#x4E00;&#x90E8;&#x5206;&#x529F;&#x80FD;&#x57FA;&#x4E8E;&#x8F6F;&#x4EF6;&#x5B9E;&#x73B0;&#xFF0C;&#x6027;&#x80FD;&#x9AD8;&#xFF0C;&#x6210;&#x672C;&#x9AD8;</p>
</li>
<li><p>&#x8F6F;&#x4EF6;&#x9632;&#x706B;&#x5899;&#xFF1A;&#x5E94;&#x7528;&#x8F6F;&#x4EF6;&#x5904;&#x7406;&#x903B;&#x8F91;&#x8FD0;&#x884C;&#x4E8E;&#x901A;&#x7528;&#x786C;&#x4EF6;&#x5E73;&#x53F0;&#x4E4B;&#x4E0A;&#x7684;&#x9632;&#x706B;&#x5899;&#xFF0C;&#x6027;&#x80FD;&#x4F4E;&#xFF0C;&#x6210;&#x672C;&#x4F4E;</p>
</li>
</ul>
<h2 id="iptables&#x57FA;&#x7840;"><a name="iptables&#x57FA;&#x7840;" class="anchor-navigation-ex-anchor" href="#iptables&#x57FA;&#x7840;"><i class="fa fa-link" aria-hidden="true"></i></a>1.2. iptables&#x57FA;&#x7840;</h2>
<p>Linux&#x4E0A;&#x7684;iptables&#x5B9E;&#x4E3A;&#x4E00;&#x4E2A;&#x547D;&#x4EE4;&#x884C;&#x5DE5;&#x5177;&#xFF0C;&#x4F4D;&#x4E8E;&#x7528;&#x6237;&#x7A7A;&#x95F4;&#x4E4B;&#x4E2D;&#xFF0C;&#x5185;&#x6838;&#x7A7A;&#x95F4;&#x7684;<code>netfilter</code>&#x5B89;&#x5168;&#x6846;&#x67B6;&#x624D;&#x662F;&#x771F;&#x6B63;&#x7684;&#x9632;&#x706B;&#x5899;.</p>
<p>iptables&#x5E76;&#x975E;&#x5B88;&#x62A4;&#x8FDB;&#x7A0B;&#xFF0C;&#x6240;&#x4EE5;&#x5E76;&#x4E0D;&#x80FD;&#x7B97;&#x662F;&#x771F;&#x6B63;&#x610F;&#x4E49;&#x4E0A;&#x7684;&#x670D;&#x52A1;&#xFF0C;&#x800C;&#x5E94;&#x8BE5;&#x7B97;&#x662F;&#x5185;&#x6838;&#x63D0;&#x4F9B;&#x7684;&#x529F;&#x80FD;.</p>
<h3 id="iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;"><a name="iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;" class="anchor-navigation-ex-anchor" href="#iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;"><i class="fa fa-link" aria-hidden="true"></i></a>1.2.1. iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;</h3>
<p><a href="https://timgsa.baidu.com/timg?image&amp;quality=80&amp;size=b9999_10000&amp;sec=1576642766058&amp;di=8aeb24425e8ea862adb659f1d2a90832&amp;imgtype=0&amp;src=http%3A%2F%2Fimg1.51cto.com%2Fattachment%2F201311%2F183446342.png" data-lightbox="8b4efda5-5c6e-48ff-9993-68db46abdcd6" data-title="&#x6765;&#x6E90;&#x4E8E;&#x7F51;&#x7EDC;" target="_blank"><img src="https://timgsa.baidu.com/timg?image&amp;quality=80&amp;size=b9999_10000&amp;sec=1576642766058&amp;di=8aeb24425e8ea862adb659f1d2a90832&amp;imgtype=0&amp;src=http%3A%2F%2Fimg1.51cto.com%2Fattachment%2F201311%2F183446342.png" alt="&#x6765;&#x6E90;&#x4E8E;&#x7F51;&#x7EDC;"></a></p>
<h3 id="iptables&#x7684;&#x56DB;&#x8868;&#x4E94;&#x94FE;"><a name="iptables&#x7684;&#x56DB;&#x8868;&#x4E94;&#x94FE;" class="anchor-navigation-ex-anchor" href="#iptables&#x7684;&#x56DB;&#x8868;&#x4E94;&#x94FE;"><i class="fa fa-link" aria-hidden="true"></i></a>1.2.2. iptables&#x7684;&#x56DB;&#x8868;&#x4E94;&#x94FE;</h3>
<p>&#x56DB;&#x8868;</p>
<ul>
<li>Filter&#x8868;&#xFF1A;&#x8FC7;&#x6EE4;&#x6570;&#x636E;&#x5305;&#xFF0C;&#x9632;&#x706B;&#x5899;&#xFF1B;&#x5185;&#x6838;&#x6A21;&#x5757;&#xFF1A;iptables_filter</li>
<li>NAT&#x8868;&#xFF1A;&#x7528;&#x4E8E;&#x7F51;&#x7EDC;&#x5730;&#x5740;&#x8F6C;&#x6362;(IP&#x3001;&#x7AEF;&#x53E3;)&#xFF1B;&#x5185;&#x6838;&#x6A21;&#x5757;&#xFF1A;iptable_nat</li>
<li>Mangle&#x8868;&#xFF1A;&#x62C6;&#x89E3;&#x4FEE;&#x6539;&#x91CD;&#x65B0;&#x5C01;&#x88C5;&#x6570;&#x636E;&#x5305;&#x7684;&#x670D;&#x52A1;&#x7C7B;&#x578B;&#x3001;TTL&#x3001;&#x5E76;&#x4E14;&#x53EF;&#x4EE5;&#x914D;&#x7F6E;&#x8DEF;&#x7531;&#x5B9E;&#x73B0;QOS&#xFF1B;&#x5185;&#x6838;&#x6A21;&#x5757;&#xFF1A;iptable_mangle</li>
<li>Raw&#x8868;&#xFF1A;&#x5173;&#x95ED;nat&#x8868;&#x4E0A;&#x7684;&#x72B6;&#x6001;&#x8DDF;&#x8E2A;&#x673A;&#x5236;&#xFF1B;&#x5185;&#x6838;&#x6A21;&#x5757;&#xFF1A;iptable_raw</li>
</ul>
<p>&#x4E94;&#x94FE;&#xFF08;&#x5185;&#x7F6E;&#x94FE;&#xFF09;</p>
<ul>
<li>INPUT&#x94FE;&#xFF1A;&#x8FDB;&#x6765;&#x7684;&#x6570;&#x636E;&#x5305;&#x5E94;&#x7528;&#x6B64;&#x89C4;&#x5219;&#x94FE;&#x4E2D;&#x7684;&#x89C4;&#x5219;</li>
<li>OUTPUT&#x94FE;&#xFF1A;&#x5916;&#x51FA;&#x7684;&#x6570;&#x636E;&#x5305;&#x5E94;&#x7528;&#x6B64;&#x89C4;&#x5219;&#x94FE;&#x4E2D;&#x7684;&#x89C4;&#x5219;</li>
<li>FORWARD&#x94FE;&#xFF1A;&#x8F6C;&#x53D1;&#x6570;&#x636E;&#x5305;&#x65F6;&#x5E94;&#x7528;&#x6B64;&#x89C4;&#x5219;&#x94FE;&#x4E2D;&#x7684;&#x89C4;&#x5219;</li>
<li>PREROUTING&#x94FE;&#xFF1A;&#x5BF9;&#x6570;&#x636E;&#x5305;&#x4F5C;&#x8DEF;&#x7531;&#x9009;&#x62E9;&#x524D;&#x5E94;&#x7528;&#x6B64;&#x94FE;&#x4E2D;&#x7684;&#x89C4;&#x5219;</li>
<li>POSTROUTING&#x94FE;&#xFF1A;&#x5BF9;&#x6570;&#x636E;&#x5305;&#x4F5C;&#x8DEF;&#x7531;&#x9009;&#x62E9;&#x540E;&#x5E94;&#x7528;&#x6B64;&#x94FE;&#x4E2D;&#x7684;&#x89C4;&#x5219;</li>
</ul>
<p>:warning:<strong>&#x7279;&#x522B;&#x6CE8;&#x610F;&#xFF1A;</strong>&#x5982;&#x679C;&#x60F3;&#x8981;Linux&#x4E3B;&#x673A;&#x652F;&#x6301;&#x8F6C;&#x53D1;&#x529F;&#x80FD;&#xFF0C;&#x5219;&#x9700;&#x8981;&#x5F00;&#x542F;&#x5185;&#x6838;&#x7684;<code>IP_FORWARD</code>&#x529F;&#x80FD;&#xFF0C;&#x4E34;&#x65F6;&#x4FEE;&#x6539;<code>/proc/sys/net/ipv4/ip_forward</code>&#x7684;&#x503C;&#x4E3A;1&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A;0&#x5173;&#x95ED;&#x72B6;&#x6001;&#xFF09;&#xFF0C;&#x6C38;&#x4E45;&#x4FEE;&#x6539;&#x5219;&#x9700;&#x5C06;&#x5176;&#x6DFB;&#x52A0;&#x5230;<code>/etc/sysctl.conf</code>&#x6587;&#x4EF6;&#x5F53;&#x4E2D;&#x53BB;&#xFF08;&#x901A;&#x8FC7;&#x8BE5;&#x6587;&#x4EF6;&#x4FEE;&#x6539;&#x7684;&#x5185;&#x6838;&#x53C2;&#x6570;&#x4E0D;&#x4F1A;&#x7ACB;&#x5373;&#x751F;&#x6548;,&#x4FEE;&#x6539;&#x5B8C;&#x6210;&#x540E;&#xFF0C;&#x4F7F;&#x7528;<code>sysctl -p</code>&#x547D;&#x4EE4;&#x53EF;&#x4EE5;&#x4F7F;&#x8FD9;&#x4E9B;&#x8BBE;&#x7F6E;&#x7ACB;&#x5373;&#x751F;&#x6548;.&#xFF09;&#x3002;</p>
<p>&#x81EA;&#x5B9A;&#x4E49;&#x94FE;&#xFF1A;&#x7528;&#x4E8E;&#x5185;&#x7F6E;&#x94FE;&#x7684;&#x6269;&#x5C55;&#x548C;&#x8865;&#x5145;&#xFF0C;&#x53EF;&#x5B9E;&#x73B0;&#x66F4;&#x7075;&#x6D3B;&#x7684;&#x89C4;&#x5219;&#x7BA1;&#x7406;&#x673A;&#x5236;.</p>
<p>&#x7531;<a href="#iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;">iptables&#x5339;&#x914D;&#x6D41;&#x7A0B;</a>&#x56FE;&#x53EF;&#x4EE5;&#x5F97;&#x51FA;&#x56DB;&#x8868;&#x53EF;&#x4EE5;&#x88AB;&#x90A3;&#x4E9B;&#x94FE;&#x4F7F;&#x7528;(&#x901A;&#x8FC7;&quot;&#x8868;&quot;&#x4F5C;&#x4E3A;&#x64CD;&#x4F5C;&#x5165;&#x53E3;&#xFF0C;&#x5BF9;&#x89C4;&#x5219;&#x8FDB;&#x884C;&#x5B9A;&#x4E49;)&#xFF1A;</p>
<ul>
<li><p>raw&#xFF1A;PREROUTING&#xFF0C;OUTPUT</p>
</li>
<li><p>mangle&#xFF1A;PREROUTING&#xFF0C;INPUT&#xFF0C;FORWARD&#xFF0C;OUTPUT&#xFF0C;POSTROUTING</p>
</li>
<li><p>nat &#xFF1A;PREROUTING&#xFF0C;OUTPUT&#xFF0C;POSTROUTING&#xFF08;centos7&#x4E2D;&#x8FD8;&#x6709;INPUT&#xFF0C;&#x800C;centos6&#x4E2D;&#x6CA1;&#x6709;&#xFF09;</p>
</li>
<li><p>filter&#xFF1A;INPUT&#xFF0C;FORWARD&#xFF0C;OUTPUT</p>
</li>
</ul>
<p><code>OUTPUT</code>&#x5B58;&#x5728;&#x4E0E;&#x6240;&#x6709;&#x8868;&#x4E2D;</p>
<h3 id="&#x8868;&#x4F18;&#x5148;&#x7EA7;"><a name="&#x8868;&#x4F18;&#x5148;&#x7EA7;" class="anchor-navigation-ex-anchor" href="#&#x8868;&#x4F18;&#x5148;&#x7EA7;"><i class="fa fa-link" aria-hidden="true"></i></a>1.2.3. &#x8868;&#x4F18;&#x5148;&#x7EA7;</h3>
<p>iptables&#x4E3A;&#x6211;&#x4EEC;&#x5B9A;&#x4E49;&#x4E86;4&#x5F20;&quot;&#x8868;&quot;&#xFF0C;&#x5F53;&#x4ED6;&#x4EEC;&#x5904;&#x4E8E;&#x540C;&#x4E00;&#x6761;&quot;&#x94FE;&quot;&#x65F6;&#xFF0C;&#x6267;&#x884C;&#x7684;&#x4F18;&#x5148;&#x7EA7;&#x5982;&#x4E0B;&#xFF1A;</p>
<p>&#x4F18;&#x5148;&#x7EA7;&#x6B21;&#x5E8F;&#xFF08;&#x7531;&#x9AD8;&#x800C;&#x4F4E;&#xFF09;&#xFF1A;<code>raw --&gt; mangle --&gt; nat --&gt; filter</code></p>
<h3 id="iptables&#x89C4;&#x5219;"><a name="iptables&#x89C4;&#x5219;" class="anchor-navigation-ex-anchor" href="#iptables&#x89C4;&#x5219;"><i class="fa fa-link" aria-hidden="true"></i></a>1.2.4. iptables&#x89C4;&#x5219;</h3>
<h4 id="&#x5339;&#x914D;&#x6761;&#x4EF6;"><a name="&#x5339;&#x914D;&#x6761;&#x4EF6;" class="anchor-navigation-ex-anchor" href="#&#x5339;&#x914D;&#x6761;&#x4EF6;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5339;&#x914D;&#x6761;&#x4EF6;</h4>
<p>&#x5339;&#x914D;&#x6761;&#x4EF6;&#x5206;&#x4E3A;&#x57FA;&#x672C;&#x5339;&#x914D;&#x6761;&#x4EF6;&#x548C;&#x6269;&#x5C55;&#x5339;&#x914D;&#x6761;&#x4EF6;</p>
<p>&#x57FA;&#x672C;&#x5339;&#x914D;&#x6761;&#x4EF6;&#xFF1A;&#x6E90;&#x5730;&#x5740;Source IP&#xFF0C;&#x76EE;&#x6807;&#x5730;&#x5740; Destination IP</p>
<p>&#x6269;&#x5C55;&#x5339;&#x914D;&#x6761;&#x4EF6;&#xFF1A;&#x4F7F;&#x7528;&#x7684;&#x662F;&#x6269;&#x5C55;&#x6A21;&#x5757;&#x5904;&#x7406;&#xFF0C;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;<code>rpm -ql iptables | grep *.so$ | less</code>&#x67E5;&#x770B;&#x652F;&#x6301;&#x7684;&#x6A21;&#x5757;</p>
<h4 id="&#x5E38;&#x7528;target"><a name="&#x5E38;&#x7528;target" class="anchor-navigation-ex-anchor" href="#&#x5E38;&#x7528;target"><i class="fa fa-link" aria-hidden="true"></i></a>&#x5E38;&#x7528;target</h4>
<ul>
<li><strong>ACCEPT</strong>&#xFF1A;&#x5141;&#x8BB8;&#x6570;&#x636E;&#x5305;&#x901A;&#x8FC7;</li>
<li><strong>DROP</strong>&#xFF1A;&#x76F4;&#x63A5;&#x4E22;&#x5F03;&#x6570;&#x636E;&#x5305;&#xFF0C;&#x4E0D;&#x7ED9;&#x4EFB;&#x4F55;&#x56DE;&#x5E94;&#x4FE1;&#x606F;&#xFF0C;&#x8FD9;&#x65F6;&#x5019;&#x5BA2;&#x6237;&#x7AEF;&#x4F1A;&#x611F;&#x89C9;&#x81EA;&#x5DF1;&#x7684;&#x8BF7;&#x6C42;&#x6CE5;&#x725B;&#x5165;&#x6D77;&#x4E86;&#xFF0C;&#x8FC7;&#x4E86;&#x8D85;&#x65F6;&#x65F6;&#x95F4;&#x624D;&#x4F1A;&#x6709;&#x53CD;&#x5E94;</li>
<li><strong>REJECT</strong>&#xFF1A;&#x62D2;&#x7EDD;&#x6570;&#x636E;&#x5305;&#x901A;&#x8FC7;&#xFF0C;&#x5FC5;&#x8981;&#x65F6;&#x4F1A;&#x7ED9;&#x6570;&#x636E;&#x53D1;&#x9001;&#x7AEF;&#x4E00;&#x4E2A;&#x54CD;&#x5E94;&#x7684;&#x4FE1;&#x606F;&#xFF0C;&#x5BA2;&#x6237;&#x7AEF;&#x521A;&#x8BF7;&#x6C42;&#x5C31;&#x4F1A;&#x6536;&#x5230;&#x62D2;&#x7EDD;&#x7684;&#x4FE1;&#x606F;</li>
<li><p><strong>SNAT</strong>&#xFF1A;&#x6E90;&#x5730;&#x5740;&#x8F6C;&#x6362;&#xFF0C;&#x89E3;&#x51B3;&#x5185;&#x7F51;&#x7528;&#x6237;&#x7528;&#x540C;&#x4E00;&#x4E2A;&#x516C;&#x7F51;&#x5730;&#x5740;&#x4E0A;&#x7F51;&#x7684;&#x95EE;&#x9898;</p>
</li>
<li><p><strong>MASQUERADE</strong>&#xFF1A;&#x662F;SNAT&#x7684;&#x4E00;&#x79CD;&#x7279;&#x6B8A;&#x5F62;&#x5F0F;&#xFF0C;&#x9002;&#x7528;&#x4E8E;&#x52A8;&#x6001;&#x7684;&#x3001;&#x4E34;&#x65F6;&#x4F1A;&#x53D8;&#x7684;ip&#x4E0A;</p>
</li>
<li><p><strong>DNAT</strong>&#xFF1A;&#x76EE;&#x6807;&#x5730;&#x5740;&#x8F6C;&#x6362;</p>
</li>
<li><p><strong>REDIRECT</strong>&#xFF1A;&#x5728;&#x672C;&#x673A;&#x505A;&#x7AEF;&#x53E3;&#x6620;&#x5C04;</p>
</li>
<li><p><strong>LOG</strong>&#xFF1A;&#x5728;<code>/var/log/messages</code>&#x6587;&#x4EF6;&#x4E2D;&#x8BB0;&#x5F55;&#x65E5;&#x5FD7;&#x4FE1;&#x606F;&#xFF0C;&#x7136;&#x540E;&#x5C06;&#x6570;&#x636E;&#x5305;&#x4F20;&#x9012;&#x7ED9;&#x4E0B;&#x4E00;&#x6761;&#x89C4;&#x5219;&#xFF0C;&#x4E5F;&#x5C31;&#x662F;&#x8BF4;&#x9664;&#x4E86;&#x8BB0;&#x5F55;&#x4EE5;&#x5916;&#x4E0D;&#x5BF9;&#x6570;&#x636E;&#x5305;&#x505A;&#x4EFB;&#x4F55;&#x5176;&#x4ED6;&#x64CD;&#x4F5C;&#xFF0C;&#x4ECD;&#x7136;&#x8BA9;&#x4E0B;&#x4E00;&#x6761;&#x89C4;&#x5219;&#x53BB;&#x5339;&#x914D;</p>
</li>
</ul>
<p><code>ACCEPT</code>&#x548C;<code>DROP</code>&#x5C5E;&#x4E8E;&#x57FA;&#x672C;&#x5904;&#x7406;&#x52A8;&#x4F5C;&#xFF0C;&#x5176;&#x4ED6;&#x7684;&#x90FD;&#x5C5E;&#x4E8E;&#x6269;&#x5C55;&#x5904;&#x7406;&#x52A8;&#x4F5C;.</p>
<h2 id="iptables&#x89C4;&#x5219;&#x67E5;&#x8BE2;"><a name="iptables&#x89C4;&#x5219;&#x67E5;&#x8BE2;" class="anchor-navigation-ex-anchor" href="#iptables&#x89C4;&#x5219;&#x67E5;&#x8BE2;"><i class="fa fa-link" aria-hidden="true"></i></a>1.3. iptables&#x89C4;&#x5219;&#x67E5;&#x8BE2;</h2>
<ol>
<li>&#x67E5;&#x8BE2;&#x6240;&#x6709;&#x89C4;&#x5219;&#xFF08;&#x9ED8;&#x8BA4;&#x4E3A;filter&#x8868;&#xFF09;</li>
</ol>
<pre class="language-"><code class="lang-bash">iptables -vnL --line-number            <span class="token comment"># &#x53C2;&#x6570;-v&#x8868;&#x793A;&#x663E;&#x793A;&#x8BE6;&#x7EC6;&#x4FE1;&#x606F;&#xFF0C;-n&#x8868;&#x793A;&#x53D6;&#x6D88;&#x57DF;&#x540D;&#x53CD;&#x89E3;&#xFF0C;-L&#x7B49;&#x540C;&#x4E8E;--list&#x8868;&#x793A;&#x5217;&#x51FA;&#x89C4;&#x5219;&#xFF0C; --line-number&#x8868;&#x793A;&#x663E;&#x793A;&#x89C4;&#x5219;&#x884C;&#x53F7;&#xFF0C;&#x4FBF;&#x4E8E;&#x589E;&#x5220;&#x6539;&#x67E5;</span>
Chain INPUT <span class="token punctuation">(</span>policy ACCEPT <span class="token number">220</span> packets, <span class="token number">21736</span> bytes<span class="token punctuation">)</span>        <span class="token comment"># &#x4EE5;INPUT&#x94FE;&#x4E3A;&#x4F8B;</span>
 pkts bytes target     prot opt <span class="token keyword">in</span>     out     <span class="token builtin class-name">source</span>               destination
</code></pre>
<p><code>Chain INPUT (policy ACCEPT 220 packets, 21736 bytes)</code>&#x62EC;&#x53F7;&#x4E2D;<code>policy</code>&#xFF0C;<code>packets</code>&#x548C;<code>bytes</code>&#x7684;&#x542B;&#x4E49;&#xFF1A;</p>
<ul>
<li><code>policy</code>&#xFF1A;&#x8868;&#x793A;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#xFF0C;<code>ACCEPT</code>&#x8868;&#x793A;&#x9ED8;&#x8BA4;&#x63A5;&#x53D7;&#x901A;&#x8FC7;INPUT&#x5173;&#x5361;&#x7684;&#x6240;&#x6709;&#x8BF7;&#x6C42;&#xFF0C;&#x5373;&#x201C;&#x9ED1;&#x540D;&#x5355;&#x673A;&#x5236;&#x201D;</li>
<li><code>packets</code>&#xFF1A;&#x8868;&#x793A;&#x5F53;&#x524D;&#x94FE;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x5339;&#x914D;&#x5230;&#x7684;&#x5305;&#x7684;&#x6570;&#x91CF;</li>
<li><code>bytes</code>&#xFF1A;&#x8868;&#x793A;&#x5F53;&#x524D;&#x94FE;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x5339;&#x914D;&#x5230;&#x7684;&#x6240;&#x6709;&#x5305;&#x7684;&#x5927;&#x5C0F;&#x603B;&#x548C;</li>
</ul>
<p>&#x5F53;<code>packets</code>&#x548C;<code>bytes</code>&#x8FBE;&#x5230;&#x4E00;&#x5B9A;&#x5927;&#x5C0F;&#x65F6;&#xFF0C;&#x4F1A;&#x663E;&#x793A;&#x7C97;&#x7565;&#x7684;&#x5927;&#x5C0F;&#xFF0C;&#x5982;&#x679C;&#x60F3;&#x8981;&#x8BE6;&#x7EC6;&#x663E;&#x793A;&#xFF0C;&#x5219;&#x9700;&#x5728;&#x67E5;&#x8BE2;&#x65F6;&#x589E;&#x52A0;<code>-x</code>&#x9009;&#x9879;.</p>
<p>&#x8BE6;&#x7EC6;&#x4FE1;&#x606F;&#x4E2D;&#x5404;&#x4E2A;&#x5B57;&#x6BB5;&#x7684;&#x542B;&#x4E49;&#xFF1A;</p>
<ul>
<li><p>pkts&#xFF1A;&#x5BF9;&#x5E94;&#x89C4;&#x5219;&#x5339;&#x914D;&#x5230;&#x7684;&#x62A5;&#x6587;&#x7684;&#x4E2A;&#x6570;</p>
</li>
<li><p>bytes&#xFF1A;&#x5BF9;&#x5E94;&#x5339;&#x914D;&#x5230;&#x7684;&#x62A5;&#x6587;&#x5305;&#x7684;&#x5927;&#x5C0F;&#x603B;&#x548C;</p>
</li>
<li><p>target&#xFF1A;&#x89C4;&#x5219;&#x5BF9;&#x5E94;&#x7684;target&#xFF0C;&#x5F80;&#x5F80;&#x8868;&#x793A;&#x89C4;&#x5219;&#x5BF9;&#x5E94;&#x7684;&quot;&#x52A8;&#x4F5C;&quot;&#xFF0C;&#x5373;&#x89C4;&#x5219;&#x5339;&#x914D;&#x6210;&#x529F;&#x540E;&#x9700;&#x8981;&#x91C7;&#x53D6;&#x7684;&#x63AA;&#x65BD;</p>
</li>
<li>prot&#xFF1A;&#x8868;&#x793A;&#x89C4;&#x5219;&#x5BF9;&#x5E94;&#x7684;&#x534F;&#x8BAE;&#xFF0C;&#x662F;&#x5426;&#x53EA;&#x9488;&#x5BF9;&#x67D0;&#x4E9B;&#x534F;&#x8BAE;&#x5E94;&#x7528;&#x6B64;&#x89C4;&#x5219;</li>
<li>opt&#xFF1A;&#x8868;&#x793A;&#x89C4;&#x5219;&#x5BF9;&#x5E94;&#x7684;&#x9009;&#x9879;</li>
<li>in&#xFF1A;&#x8868;&#x793A;&#x6570;&#x636E;&#x5305;&#x7531;&#x54EA;&#x4E2A;&#x63A5;&#x53E3;(&#x7F51;&#x5361;)&#x6D41;&#x5165;&#xFF0C;&#x6211;&#x4EEC;&#x53EF;&#x4EE5;&#x8BBE;&#x7F6E;&#x901A;&#x8FC7;&#x54EA;&#x5757;&#x7F51;&#x5361;&#x6D41;&#x5165;&#x7684;&#x62A5;&#x6587;&#x9700;&#x8981;&#x5339;&#x914D;&#x5F53;&#x524D;&#x89C4;&#x5219;</li>
<li>out&#xFF1A;&#x8868;&#x793A;&#x6570;&#x636E;&#x5305;&#x7531;&#x54EA;&#x4E2A;&#x63A5;&#x53E3;(&#x7F51;&#x5361;)&#x6D41;&#x51FA;&#xFF0C;&#x6211;&#x4EEC;&#x53EF;&#x4EE5;&#x8BBE;&#x7F6E;&#x901A;&#x8FC7;&#x54EA;&#x5757;&#x7F51;&#x5361;&#x6D41;&#x51FA;&#x7684;&#x62A5;&#x6587;&#x9700;&#x8981;&#x5339;&#x914D;&#x5F53;&#x524D;&#x89C4;&#x5219;</li>
<li>source&#xFF1A;&#x8868;&#x793A;&#x89C4;&#x5219;&#x5BF9;&#x5E94;&#x7684;&#x6E90;&#x5934;&#x5730;&#x5740;&#xFF0C;&#x53EF;&#x4EE5;&#x662F;&#x4E00;&#x4E2A;IP&#xFF0C;&#x4E5F;&#x53EF;&#x4EE5;&#x662F;&#x4E00;&#x4E2A;&#x7F51;&#x6BB5;</li>
<li><p>destination&#xFF1A;&#x8868;&#x793A;&#x89C4;&#x5219;&#x5BF9;&#x5E94;&#x7684;&#x76EE;&#x6807;&#x5730;&#x5740;&#x53EF;&#x4EE5;&#x662F;&#x4E00;&#x4E2A;IP&#xFF0C;&#x4E5F;&#x53EF;&#x4EE5;&#x662F;&#x4E00;&#x4E2A;&#x7F51;&#x6BB5;</p>
</li>
<li><p>&#x67E5;&#x8BE2;&#x67D0;&#x4E2A;&#x8868;&#x4E2D;&#x7684;&#x89C4;&#x5219;&#x6216;&#x8005;&#x67D0;&#x4E2A;&#x8868;&#x7684;&#x67D0;&#x4E2A;&#x94FE;</p>
</li>
</ul>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x67E5;&#x8BE2;nat&#x8868;&#x6240;&#x6709;&#x89C4;&#x5219;</span>
iptables -t nat -L            <span class="token comment"># -t&#x8868;&#x793A;&#x8868;&#x7C7B;&#x578B;</span>
<span class="token comment"># &#x67E5;&#x8BE2;nat&#x8868;&#x7684;INPUT&#x94FE;</span>
iptables -t nat -L INPUT
</code></pre>
<h2 id="iptables&#x89C4;&#x5219;&#x7BA1;&#x7406;"><a name="iptables&#x89C4;&#x5219;&#x7BA1;&#x7406;" class="anchor-navigation-ex-anchor" href="#iptables&#x89C4;&#x5219;&#x7BA1;&#x7406;"><i class="fa fa-link" aria-hidden="true"></i></a>1.4. iptables&#x89C4;&#x5219;&#x7BA1;&#x7406;</h2>
<h3 id="&#x94FE;&#x7BA1;&#x7406;&#x76F8;&#x5173;"><a name="&#x94FE;&#x7BA1;&#x7406;&#x76F8;&#x5173;" class="anchor-navigation-ex-anchor" href="#&#x94FE;&#x7BA1;&#x7406;&#x76F8;&#x5173;"><i class="fa fa-link" aria-hidden="true"></i></a>1.4.1. &#x94FE;&#x7BA1;&#x7406;&#x76F8;&#x5173;</h3>
<h4 id="&#x81EA;&#x5B9A;&#x4E49;&#x94FE;"><a name="&#x81EA;&#x5B9A;&#x4E49;&#x94FE;" class="anchor-navigation-ex-anchor" href="#&#x81EA;&#x5B9A;&#x4E49;&#x94FE;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x81EA;&#x5B9A;&#x4E49;&#x94FE;</h4>
<p>&#x589E;&#x52A0;&#x81EA;&#x5B9A;&#x4E49;&#x94FE;</p>
<pre class="language-"><code class="lang-bash">iptables -N diy_chain
</code></pre>
<p>&#x5220;&#x9664;&#x81EA;&#x5B9A;&#x4E49;&#x94FE;&#xFF08;&#x8981;&#x6C42;&#x81EA;&#x5B9A;&#x4E49;&#x94FE;&#x5FC5;&#x987B;&#x662F;&#x7A7A;&#x7684;&#xFF0C;&#x800C;&#x4E14;&#x6CA1;&#x6709;&#x88AB;&#x5F15;&#x7528;&#x3010;&#x5F15;&#x7528;&#x8BA1;&#x6570;&#x4E3A;0&#x3011;&#xFF09;</p>
<pre class="language-"><code class="lang-bash">iptables -X diy_chain
</code></pre>
<p>&#x91CD;&#x547D;&#x540D;&#x81EA;&#x5B9A;&#x4E49;&#x94FE;</p>
<pre class="language-"><code class="lang-bash">iptables -E diy_chain new_chain
</code></pre>
<h4 id="&#x4FEE;&#x6539;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;"><a name="&#x4FEE;&#x6539;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;" class="anchor-navigation-ex-anchor" href="#&#x4FEE;&#x6539;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x4FEE;&#x6539;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;</h4>
<p>&#x5BF9;&#x4E8E;filter&#x800C;&#x8A00;&#xFF0C;&#x5176;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x6709;&#xFF1A;<code>ACCEPT</code>&#x3001;<code>DROP</code>&#x548C;<code>REJECT</code></p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5C06;FORWARD&#x94FE;&#x7684;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x6539;&#x4E3A;DROP</span>
iptables -P FORWARD DROP
</code></pre>
<p>&#x7279;&#x522B;&#x5730;&#xFF0C;&#x4E0D;&#x8981;&#x5C06;&#x7A7A;&#x7684;filter&#x8868;&#x7684;INPUT&#x94FE;&#x8BBE;&#x4E3A;DROP&#xFF0C;&#x5426;&#x5219;&#x5F53;&#x524D;&#x8FDC;&#x7A0B;&#x8FDE;&#x63A5;&#x4F1A;&#x88AB;&#x65AD;&#x5F00;.</p>
<h3 id="&#x89C4;&#x5219;&#x7BA1;&#x7406;&#x76F8;&#x5173;"><a name="&#x89C4;&#x5219;&#x7BA1;&#x7406;&#x76F8;&#x5173;" class="anchor-navigation-ex-anchor" href="#&#x89C4;&#x5219;&#x7BA1;&#x7406;&#x76F8;&#x5173;"><i class="fa fa-link" aria-hidden="true"></i></a>1.4.2. &#x89C4;&#x5219;&#x7BA1;&#x7406;&#x76F8;&#x5173;</h3>
<h4 id="&#x589E;&#x52A0;&#x89C4;&#x5219;"><a name="&#x589E;&#x52A0;&#x89C4;&#x5219;" class="anchor-navigation-ex-anchor" href="#&#x589E;&#x52A0;&#x89C4;&#x5219;"><i class="fa fa-link" aria-hidden="true"></i></a>&#x589E;&#x52A0;&#x89C4;&#x5219;</h4>
<p>==&#x57FA;&#x672C;&#x5339;&#x914D;&#x6761;&#x4EF6;==</p>
<p>&#x6765;&#x81EA;172.16.122.0/24&#x4E3B;&#x673A;&#x7684;tcp&#x8FDE;&#x63A5;&#x5230;&#x672C;&#x5730;&#x4E3B;&#x673A;&#x90FD;&#x63A5;&#x53D7;</p>
<pre class="language-"><code class="lang-bash">iptables -A INPUT -s <span class="token number">172.16</span>.122.0/24 -d <span class="token number">172.16</span>.122.135 -p tcp  -j ACCEPT
</code></pre>
<p>&#x4EE5;&#x4E0A;&#x7684;<code>-s</code>&#x3001;<code>-d</code>&#x3001;<code>-p</code>&#x90FD;&#x4E3A;&#x57FA;&#x672C;&#x6761;&#x4EF6;&#x7684;&#x53C2;&#x6570;&#xFF0C;&#x6B64;&#x5916;&#x8FD8;&#x6709;<code>-o</code>&#xFF08;&#x6570;&#x636E;&#x62A5;&#x6587;&#x6D41;&#x51FA;&#x7684;&#x63A5;&#x53E3;&#xFF0C;&#x53EA;&#x80FD;&#x5E94;&#x7528;&#x4E8E;&#x6570;&#x636E;&#x62A5;&#x6587;&#x7684;&#x6D41;&#x51FA;&#x73AF;&#x8282;&#xFF0C;&#x4E14;&#x53EA;&#x80FD;&#x9002;&#x7528;&#x4E8E;<code>FORWARD</code>&#x3001;<code>OUTPUT</code>&#x548C;<code>POSTROUTING</code>&#x94FE;&#xFF09;&#x548C;<code>-i</code>&#xFF08;&#x6570;&#x636E;&#x62A5;&#x6587;&#x6D41;&#x5165;&#x7684;&#x63A5;&#x53E3;&#xFF0C;&#x53EA;&#x80FD;&#x5E94;&#x7528;&#x4E8E;&#x6570;&#x636E;&#x62A5;&#x6587;&#x7684;&#x6D41;&#x5165;&#x73AF;&#x8282;&#xFF0C;&#x4E14;&#x53EA;&#x80FD;&#x9002;&#x7528;&#x4E8E;<code>PREROUTING</code>&#x3001;<code>INPIUT</code>&#x548C;<code>FORWARD</code>&#x94FE;&#xFF09;</p>
<p>==&#x6269;&#x5C55;&#x5339;&#x914D;&#x6761;&#x4EF6;==</p>
<ul>
<li>&#x9690;&#x5F0F;&#x6269;&#x5C55;</li>
</ul>
<p><a href="https://s2.ax1x.com/2019/12/18/Q7sidS.png" data-lightbox="3c662b5a-4bc6-440d-af99-3f9621ecba0a" data-title="&#x9690;&#x5F0F;&#x6269;&#x5C55;" target="_blank"><img src="https://s2.ax1x.com/2019/12/18/Q7sidS.png" alt="&#x9690;&#x5F0F;&#x6269;&#x5C55;"></a></p>
<p><a href="#iptables&#x5B9E;&#x4F8B;">&#x9690;&#x5F0F;&#x6269;&#x5C55;&#x7B80;&#x5355;&#x4F7F;&#x7528;-1</a></p>
<ul>
<li>&#x663E;&#x5F0F;&#x6269;&#x5C55;&#xFF08;&#x9700;&#x8981;&#x4F7F;&#x7528;<code>-m</code>&#x9009;&#x9879;&#xFF09;</li>
</ul>
<p>&#x5E2E;&#x52A9;&#x6587;&#x6863;&#xFF1A;<code>man iptables-extensions</code></p>
<p><a href="https://s2.ax1x.com/2019/12/18/Q7R2Os.png" data-lightbox="440352df-fa26-4f0a-a20b-d9bd9f225d27" data-title="1-2" target="_blank"><img src="https://s2.ax1x.com/2019/12/18/Q7R2Os.png" alt="1-2"></a></p>
<p><a href="https://s2.ax1x.com/2019/12/18/Q7RWmn.png" data-lightbox="42ebd2e1-692a-43fd-a550-6c0c369c8a3b" data-title="3-4" target="_blank"><img src="https://s2.ax1x.com/2019/12/18/Q7RWmn.png" alt="3-4"></a></p>
<ol>
<li><code>multiport</code>&#x7B80;&#x5355;&#x4F7F;&#x7528;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5F00;&#x653E;22/80/445&#x7AEF;&#x53E3;&#x7684;tcp&#x51FA;&#x5165;&#x8FDE;&#x63A5;</span>
iptables -R INPUT <span class="token number">1</span> -d <span class="token number">172.16</span>.122.135  -p tcp -m multiport --dports <span class="token number">22,80</span>,445 -j ACCEPT
iptables -R OUTPUT <span class="token number">1</span>  -s <span class="token number">172.16</span>.122.135  -p tcp -m multiport --sports <span class="token number">22,80</span>,445 -j ACCEPT
</code></pre>
<ol>
<li><code>iprange</code>&#x7B80;&#x5355;&#x4F7F;&#x7528;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5141;&#x8BB8;172.16.122.130-172.16.122.140&#x5730;&#x5740;&#x8303;&#x56F4;&#x5185;&#x7684;&#x6240;&#x6709;&#x4E3B;&#x673A;&#x8BBF;&#x95EE;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;&#x672C;&#x5730;tcp&#x8FDE;&#x63A5;80&#x7AEF;&#x53E3;</span>
iptables -I INPUT <span class="token number">2</span> -d <span class="token number">172.16</span>.122.135 -p tcp --dport <span class="token number">80</span> -m iprange --src-range <span class="token number">172.16</span>.122.130-172.16.122.140 -j ACCEPT
iptables -I OUTPUT <span class="token number">2</span> -s <span class="token number">172.16</span>.122.135 -p tcp --sport <span class="token number">80</span> -m iprange --dst-range <span class="token number">172.16</span>.122.130-172.16.122.140 -j ACCEPT
</code></pre>
<ol>
<li><code>time</code>&#x7B80;&#x5355;&#x4F7F;&#x7528;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5141;&#x8BB8;&#x5916;&#x90E8;&#x4E3B;&#x673A;&#x8BBF;&#x95EE;&#x672C;&#x5730;&#x7684;80&#x7AEF;&#x53E3;&#xFF0C;&#x4F46;&#x53EA;&#x80FD;&#x5728;&#x6307;&#x5B9A;&#x65F6;&#x95F4;&#x6BB5;&#x8FDB;&#x884C;&#x8BBF;&#x95EE;&#xFF08;&#x5468;&#x4E00;&#x81F3;&#x5468;&#x4E94;&#x65E9;&#x516B;&#x70B9;&#x5230;&#x665A;&#x516B;&#x70B9;&#xFF09;</span>
iptables -I INPUT <span class="token number">2</span> -d <span class="token number">172.16</span>.122.135 -p tcp --dport <span class="token number">80</span> -m <span class="token function">time</span> --timestart <span class="token number">8</span>:00:00 -timestop <span class="token number">20</span>:00:00 --weekdays <span class="token number">1,2</span>,3,4,5 --kerneltz  -j ACCEPT
iptables -I OUPUT <span class="token number">2</span> -d <span class="token number">172.16</span>.122.135 -p tcp --sport <span class="token number">80</span> -m <span class="token function">time</span> --timestart <span class="token number">8</span>:00:00 -timestop <span class="token number">20</span>:00:00 --weekdays <span class="token number">1,2</span>,3,4,5 --kerneltz  -j ACCEPT
<span class="token comment"># kerneltz&#x9009;&#x9879;&#x5728;CentOS 6&#x4E0A;&#x65E0;&#x9700;&#x6DFB;&#x52A0;&#x4F7F;&#x7528;&#xFF0C;&#x56E0;&#x4E3A;CentOS 6 &#x9ED8;&#x8BA4;&#x4F1A;&#x4F7F;&#x7528;&#x5185;&#x6838;&#x914D;&#x7F6E;&#x7684;&#x65F6;&#x533A;</span>
*&#x9664;weekdays&#x4E4B;&#x5916;&#x8FD8;&#x53EF;&#x4EE5;&#x6307;&#x5B9A;&#x4E00;&#x4E2A;&#x6708;&#x4E2D;&#x7684;&#x90A3;&#x51E0;&#x5929;monthdays --monthdays&#x4E0E; --weekdays&#x53EF;&#x4EE5;&#x4F7F;&#x7528;<span class="token string">&quot;!&quot;</span>&#x53D6;&#x53CD;&#xFF0C;&#x5176;&#x4ED6;&#x9009;&#x9879;&#x4E0D;&#x80FD;&#x53D6;&#x53CD;
</code></pre>
<ol>
<li><code>string</code>&#x7B80;&#x5355;&#x4F7F;&#x7528;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5C4F;&#x853D;&#x7F51;&#x9875;&#x5185;&#x5BB9;&#x4E2D;&#x7684;fuck&#x654F;&#x611F;&#x8BCD;&#x6C47;</span>
* &#x7F51;&#x9875;&#x5185;&#x5BB9;&#xFF1A;
hello everyone, my name is fuck.<span class="token punctuation">(</span>just kidding~<span class="token punctuation">)</span>
iptables -I OUTPUT -m string --algo bm --string <span class="token string">&quot;fuck&quot;</span> -j DROP
*  --algo&#xFF1A;&#x7528;&#x4E8E;&#x6307;&#x5B9A;&#x5339;&#x914D;&#x7B97;&#x6CD5;&#xFF0C;&#x53EF;&#x9009;&#x7684;&#x7B97;&#x6CD5;&#x6709;bm&#x4E0E;kmp&#xFF0C;&#x6B64;&#x9009;&#x9879;&#x4E3A;&#x5FC5;&#x987B;&#x9009;&#x9879;&#xFF0C;&#x6211;&#x4EEC;&#x4E0D;&#x7528;&#x7EA0;&#x7ED3;&#x4E8E;&#x9009;&#x62E9;&#x54EA;&#x4E2A;&#x7B97;&#x6CD5;&#xFF0C;&#x4F46;&#x662F;&#x6211;&#x4EEC;&#x5FC5;&#x987B;&#x6307;&#x5B9A;&#x4E00;&#x4E2A;&#xFF0C;--string&#xFF1A;&#x7528;&#x4E8E;&#x6307;&#x5B9A;&#x9700;&#x8981;&#x5339;&#x914D;&#x7684;&#x5B57;&#x7B26;&#x4E32;
</code></pre>
<p>&#x6CE8;&#x610F;&#xFF1A;&#x53EA;&#x80FD;&#x5BF9;&#x660E;&#x6587;&#x7F16;&#x7801;&#x7684;&#x5B57;&#x7B26;&#x4E32;&#x8FDB;&#x884C;&#x4F7F;&#x7528;</p>
<ol>
<li><code>connlimit</code>&#x7B80;&#x5355;&#x5B9E;&#x7528;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x9650;&#x5236;mysql&#x5E76;&#x53D1;&#x8FDE;&#x63A5;&#x6570;&#x91CF;</span>
<span class="token comment"># &#x9650;&#x5236;&#x5355;&#x4E2A;IP&#x7684;&#x8FDE;&#x63A5;&#x6570;&#xFF0C;&#x8FDE;&#x63A5;&#x6570;&#x5927;&#x4E8E;&#x4E09;&#x4E2A;&#x5219;&#x62D2;&#x7EDD;&#x8BBF;&#x95EE;</span>
iptables -A INPUT <span class="token number">2</span> -d <span class="token number">172.16</span>.122.135 -s <span class="token number">172.16</span>.122.0/24 -p tcp --dport <span class="token number">3306</span> -m connlimit --connlimit-upto <span class="token number">2</span> -j ACCEPT
</code></pre>
<ol>
<li><code>limit</code>&#x7B80;&#x5355;&#x4F7F;&#x7528;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x9650;&#x5236;ping&#x8BF7;&#x6C42;&#x5305;&#x7684;&#x901F;&#x7387;&#xFF0C;&#x6BCF;3&#x79D2;&#x949F;&#x54CD;&#x5E94;&#x4E00;&#x6B21;&#xFF0C;&#x5E76;&#x4E14;&#x5176;&#x9608;&#x503C;&#x4E3A;5&#xFF0C;&#x7B80;&#x5355;&#x6765;&#x8BF4;&#x5C31;&#x662F;&#x524D;4&#x4E2A;icmp&#x5305;&#x54CD;&#x5E94;&#x6B63;&#x5E38;&#xFF0C;&#x5230;&#x7B2C;5&#x4E2A;&#x5305;&#x5F00;&#x59CB;&#x5C31;&#x8981;&#x6BCF;3&#x79D2;&#x949F;&#x54CD;&#x5E94;&#x4E00;&#x6B21;</span>
iptables -A INPUT -d <span class="token number">172.16</span>.122.135 -p icmp --icmp-type <span class="token number">8</span> -m limit --limit-burst <span class="token number">5</span> --limit <span class="token number">20</span>/minute -j ACCEPT
iptable -A OUTPUT -s <span class="token number">172.16</span>.122.135 -p icmp --icmp-type <span class="token number">0</span> -j ACCEPT
</code></pre>
<ol>
<li><strong><code>state</code>&#x7B80;&#x5355;&#x4F7F;&#x7528;</strong></li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x653E;&#x884C;&#x6307;&#x5B9A;&#x7AEF;&#x53E3;&#x5E76;&#x4E14;&#x6307;&#x5B9A;&#x5305;&#x7C7B;&#x578B;&#x4E3A;NEW&#x7684;&#x5305;&#x53EF;&#x4EE5;&#x901A;&#x8FC7;</span>
iptables -A INPUT -d <span class="token number">172.16</span>.122.136 -p tcp -m multiport --sports <span class="token number">22,3306</span>,443,80 -m state --state NEW -j ACCEPT
iptables -I INPUT -d <span class="token number">172.16</span>.122.136 -m state --state ESTABLISHED -j ACCEPT
iptables -I OUTPUT -s <span class="token number">172.16</span>.122.136 -m state --state ESTABLISHED -j ACCEPT
<span class="token comment"># &#x81EA;&#x5B9A;&#x4E49;&#x9ED8;&#x8BA4;&#x89C4;&#x5219;&#x8BBE;&#x4E3A;DROP</span>
iptables -A INPUT -d <span class="token number">172.16</span>.122.136 -j  REJECT
iptables -A OUTPUT -s <span class="token number">172.16</span>.122.136 -j  REJECT
</code></pre>
<h3 id="target&#x5904;&#x7406;&#x52A8;&#x4F5C;"><a name="target&#x5904;&#x7406;&#x52A8;&#x4F5C;" class="anchor-navigation-ex-anchor" href="#target&#x5904;&#x7406;&#x52A8;&#x4F5C;"><i class="fa fa-link" aria-hidden="true"></i></a>1.4.3. target&#x5904;&#x7406;&#x52A8;&#x4F5C;</h3>
<p><a href="#&#x5E38;&#x7528;target">target&#x5904;&#x7406;&#x52A8;&#x4F5C;</a></p>
<p>&#x81EA;&#x5B9A;&#x4E49;&#x5904;&#x7406;&#x52A8;&#x4F5C;&#x94FE;&#xFF1A;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x7B80;&#x5355;&#x4F7F;&#x7528;</span>
<span class="token comment"># &#x521B;&#x5EFA;&#x81EA;&#x5B9A;&#x4E49;&#x94FE;</span>
iptables -N diy_rules
iptables -A diy_rules -d <span class="token number">172.16</span>.122.136 -p icmp --icmp-type <span class="token number">8</span> -j ACCEPT
iptables -I diy_rules -d <span class="token number">172.16</span>.122.136 -s <span class="token number">172.16</span>.122.137 -p icmp -j DROP
<span class="token comment"># &#x4F7F;&#x7528;&#x81EA;&#x5B9A;&#x4E49;&#x94FE;</span>
iptables - A INPUT -d <span class="token number">172.16</span>.122.136 -p icmp -j diy_rules
</code></pre>
<h4 id="reject"><a name="reject" class="anchor-navigation-ex-anchor" href="#reject"><i class="fa fa-link" aria-hidden="true"></i></a>REJECT</h4>
<p>REJECT&#x52A8;&#x4F5C;&#x7684;&#x5E38;&#x7528;&#x9009;&#x9879;&#x4E3A;<code>--reject-with</code>&#xFF0C;&#x4F7F;&#x7528;<code>--reject-with</code>&#x9009;&#x9879;&#xFF0C;&#x53EF;&#x4EE5;&#x8BBE;&#x7F6E;&#x63D0;&#x793A;&#x4FE1;&#x606F;&#xFF0C;&#x5F53;&#x5BF9;&#x65B9;&#x88AB;&#x62D2;&#x7EDD;&#x65F6;&#xFF0C;&#x4F1A;&#x63D0;&#x793A;&#x5BF9;&#x65B9;&#x4E3A;&#x4EC0;&#x4E48;&#x88AB;&#x62D2;&#x7EDD;.</p>
<p>&#x53EF;&#x7528;&#x503C;&#x5982;&#x4E0B;&#xFF1A;</p>
<p>icmp-net-unreachable&#x3001;icmp-host-unreachable&#x3001;icmp-port-unreachable&#xFF08;default&#x9ED8;&#x8BA4;&#x503C;&#xFF09;&#x3001;icmp-proto-unreachable&#x3001;icmp-net-prohibited&#x3001;icmp-host-pro-hibited&#x3001;icmp-admin-prohibited</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5C06;&#x62D2;&#x7EDD;&#x62A5;&#x6587;&#x9ED8;&#x8BA4;&#x7684;&#x7684;&#x201C;&#x7AEF;&#x53E3;&#x4E0D;&#x53EF;&#x8FBE;&#x201D;&#xFF0C;&#x6539;&#x4E3A;&#x201C;&#x4E3B;&#x673A;&#x4E0D;&#x53EF;&#x8FBE;&#x201D;</span>
iptables -A INPUT  -j REJECT --reject-with icmp-host-unreachable
</code></pre>
<h4 id="log"><a name="log" class="anchor-navigation-ex-anchor" href="#log"><i class="fa fa-link" aria-hidden="true"></i></a>LOG</h4>
<p>LOG&#x52A8;&#x4F5C;&#x53EA;&#x8D1F;&#x8D23;&#x8BB0;&#x5F55;&#x5339;&#x914D;&#x5230;&#x7684;&#x62A5;&#x6587;&#x7684;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#xFF0C;&#x4E0D;&#x8D1F;&#x8D23;&#x5BF9;&#x62A5;&#x6587;&#x7684;&#x5176;&#x4ED6;&#x5904;&#x7406;&#xFF0C;&#x5982;&#x679C;&#x60F3;&#x8981;&#x5BF9;&#x62A5;&#x6587;&#x8FDB;&#x884C;&#x8FDB;&#x4E00;&#x6B65;&#x7684;&#x5904;&#x7406;&#xFF0C;&#x53EF;&#x4EE5;&#x5728;&#x4E4B;&#x540E;&#x8BBE;&#x7F6E;&#x5177;&#x4F53;&#x89C4;&#x5219;&#xFF0C;&#x8FDB;&#x884C;&#x8FDB;&#x4E00;&#x6B65;&#x7684;&#x5904;&#x7406;.</p>
<p>LOG&#x53EF;&#x7528;&#x9009;&#x9879;&#xFF1A;</p>
<ol>
<li><p><code>--log-level</code>&#xFF1A;&#x53EF;&#x4EE5;&#x6307;&#x5B9A;&#x8BB0;&#x5F55;&#x65E5;&#x5FD7;&#x7684;&#x65E5;&#x5FD7;&#x7EA7;&#x522B;&#xFF0C;&#x53EF;&#x7528;&#x7EA7;&#x522B;&#x6709;emerg&#xFF0C;alert&#xFF0C;crit&#xFF0C;error&#xFF0C;warning&#xFF0C;notice&#xFF0C;info&#xFF0C;debug&#xFF08;&#x7EA7;&#x522B;&#x7531;&#x9AD8;&#x5230;&#x4F4E;&#xFF09;</p>
</li>
<li><p><code>--log-prefix</code>&#xFF1A;&#x53EF;&#x4EE5;&#x7ED9;&#x8BB0;&#x5F55;&#x5230;&#x7684;&#x76F8;&#x5173;&#x4FE1;&#x606F;&#x6DFB;&#x52A0;&quot;&#x6807;&#x7B7E;&quot;&#x4E4B;&#x7C7B;&#x7684;&#x4FE1;&#x606F;&#xFF0C;&#x4EE5;&#x4FBF;&#x533A;&#x5206;&#x5404;&#x79CD;&#x8BB0;&#x5F55;&#x5230;&#x7684;&#x62A5;&#x6587;&#x4FE1;&#x606F;&#xFF0C;&#x65B9;&#x4FBF;&#x5728;&#x5206;&#x6790;&#x65F6;&#x8FDB;&#x884C;&#x8FC7;&#x6EE4;</p>
</li>
</ol>
<p>&#x6CE8;&#xFF1A;<code>--log-prefix</code>&#x5BF9;&#x5E94;&#x7684;&#x503C;&#x4E0D;&#x80FD;&#x8D85;&#x8FC7;29&#x4E2A;&#x5B57;&#x7B26;</p>
<pre class="language-"><code class="lang-bash">iptable -A INPUT -p tcp --dport <span class="token number">80</span> -m state --state NEW -j LOG --log-prefix <span class="token string">&quot;someone visit our web&quot;</span>
</code></pre>
<h4 id="snat&#x548C;dnat&#x548C;masquerade"><a name="snat&#x548C;dnat&#x548C;masquerade" class="anchor-navigation-ex-anchor" href="#snat&#x548C;dnat&#x548C;masquerade"><i class="fa fa-link" aria-hidden="true"></i></a>SNAT&#x548C;DNAT&#x548C;MASQUERADE</h4>
<p>&#x89C1;<a href="#NAT&#x8DEF;&#x7531;">NAT&#x8DEF;&#x7531;</a></p>
<h4 id="redirect"><a name="redirect" class="anchor-navigation-ex-anchor" href="#redirect"><i class="fa fa-link" aria-hidden="true"></i></a>REDIRECT</h4>
<p>&#x53EF;&#x4EE5;&#x7528;&#x4F5C;&#x7AEF;&#x53E3;&#x6620;&#x5C04;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5F53;&#x522B;&#x7684;&#x673A;&#x5668;&#x8BBF;&#x95EE;&#x672C;&#x673A;&#x7684;80&#x7AEF;&#x53E3;&#x65F6;&#xFF0C;&#x62A5;&#x6587;&#x4F1A;&#x88AB;&#x91CD;&#x5B9A;&#x5411;&#x5230;&#x672C;&#x673A;&#x7684;8080&#x7AEF;&#x53E3;&#x4E0A;</span>
iptables -t nat -A PREROUTING -p tcp --dport <span class="token number">80</span> -j REDIRECT --to-ports <span class="token number">8080</span>
</code></pre>
<h3 id="&#x6E05;&#x9664;&#x89C4;&#x5219;&#x76F8;&#x5173;"><a name="&#x6E05;&#x9664;&#x89C4;&#x5219;&#x76F8;&#x5173;" class="anchor-navigation-ex-anchor" href="#&#x6E05;&#x9664;&#x89C4;&#x5219;&#x76F8;&#x5173;"><i class="fa fa-link" aria-hidden="true"></i></a>1.4.4. &#x6E05;&#x9664;&#x89C4;&#x5219;&#x76F8;&#x5173;</h3>
<p>&#x683C;&#x5F0F;&#xFF1A;<code>iptables [-t tables] [-FXZ]</code></p>
<p>&#x9009;&#x9879;&#x4E0E;&#x53C2;&#x6570;&#xFF1A;</p>
<ul>
<li><p>-F&#xFF1A;&#x6E05;&#x9664;&#x6240;&#x6709;&#x5236;&#x8BA2;&#x7684;&#x89C4;&#x5219;</p>
</li>
<li><p>-X&#xFF1A;&#x6E05;&#x9664;&#x6240;&#x6709;&#x7528;&#x6237;&#x201C;&#x81EA;&#x5B9A;&#x4E49;&#x201D;&#x7684;chain</p>
</li>
<li><p>-Z&#xFF1A;&#x5C06;&#x6240;&#x6709;chain&#x7684;&#x8BA1;&#x6570;&#x4E0E;&#x6D41;&#x91CF;&#x7EDF;&#x8BA1;&#x90FD;&#x5F52;&#x96F6;</p>
</li>
<li>-D&#xFF1A;&#x5220;&#x9664;&#x89C4;&#x5219;</li>
</ul>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x6E05;&#x9664;filter&#x8868;&#x6240;&#x6709;&#x89C4;&#x5219;</span>
iptables -t filter -F
<span class="token comment"># &#x6E05;&#x9664;filter&#x8868;&#x7684;&#x7B2C;&#x4E00;&#x6761;INPUT&#x94FE;&#x6D41;&#x91CF;&#x7EDF;&#x8BA1;</span>
iptables -Z INPUT <span class="token number">1</span>
<span class="token comment"># &#x5220;&#x9664;filter&#x8868;&#x7684;&#x7B2C;&#x4E00;&#x6761;INPUT&#x94FE;&#x89C4;&#x5219;</span>
iptables -D INPUT <span class="token number">1</span>
</code></pre>
<p>:warning:<strong>&#x9700;&#x8981;&#x7279;&#x522B;&#x6CE8;&#x610F;&#x7684;&#x662F;&#xFF1A;</strong>&#x76F4;&#x63A5;&#x4F7F;&#x7528;<code>-F</code>&#x6E05;&#x7A7A;&#x89C4;&#x5219;&#x65F6;&#xFF0C;&#x5982;&#x679C;&#x5DF2;&#x7ECF;&#x914D;&#x7F6E;&#x8FC7;&#x9ED8;&#x8BA4;&#x89C4;&#x5219;&#x4E3A;deny&#x7684;&#x73AF;&#x5883;&#xFF0C;&#x6B64;&#x6B65;&#x9AA4;&#x5C06;&#x4F7F;&#x7CFB;&#x7EDF;&#x7684;&#x6240;&#x6709;&#x7F51;&#x7EDC;&#x8BBF;&#x95EE;&#x4E2D;&#x65AD;&#xFF0C;&#x6240;&#x4EE5;&#x6E05;&#x7A7A;&#x4E4B;&#x524D;&#x5E94;&#x5F53;&#x5148;&#x6267;&#x884C;<code>iptables -P INPUT ACCEPT</code>&#x518D;&#x6267;&#x884C;<code>-F</code>&#x64CD;&#x4F5C;&#x3002;&#x6B64;&#x5916;&#xFF0C;&#x6E05;&#x7A7A;&#x89C4;&#x5219;&#x4E0D;&#x53EF;&#x9006;&#x8F6C;&#xFF0C;&#x9664;&#x975E;&#x4F60;&#x77E5;&#x9053;&#x4F60;&#x5728;&#x505A;&#x4EC0;&#x4E48;&#xFF0C;&#x6E05;&#x7A7A;&#x4E4B;&#x524D;&#x90FD;&#x5E94;&#x5F53;&#x5148;&#x5907;&#x4EFD;&#x4E00;&#x4EFD;&#xFF0C;&#x6B65;&#x9AA4;&#x5982;&#x4E0B;&#xFF1A;</p>
<p><code>iptables-save</code>&#x548C;<code>iptables-restore</code>&#x7684;&#x4F7F;&#x7528;&#xFF1A;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5C06;&#x6240;&#x6709;&#x89C4;&#x5219;&#x8FFD;&#x52A0;&#x5230;&#x4E00;&#x4E2A;&#x6587;&#x4EF6;</span>
iptables-save -c -t filter <span class="token operator">&gt;</span> /root/iptables.bak            <span class="token comment"># &#x53C2;&#x6570;-c/--counters&#x8868;&#x793A;&#x5728;&#x8F93;&#x51FA;&#x4E2D;&#x5305;&#x542B;&#x6240;&#x6709;&#x62A5;&#x6587;&#x548C;&#x5B57;&#x8282;&#x8BA1;&#x6570;&#x7684;&#x5F53;&#x524D;&#x503C;&#xFF0C;-t/--table &lt;tablename&gt;&#x9650;&#x5236;&#x53EA;&#x8F93;&#x51FA;&#x7279;&#x5B9A;&#x8868;&#xFF0C;&#x5982;&#x679C;&#x4E0D;&#x6307;&#x5B9A;&#xFF0C;&#x4F1A;&#x8F93;&#x51FA;&#x6240;&#x6709;&#x53EF;&#x80FD;&#x7684;&#x8868;</span>
<span class="token comment"># &#x91CD;&#x8F7D;iptables&#x5907;&#x4EFD;&#x6587;&#x4EF6;</span>
iptables-restore <span class="token operator">&lt;</span> /root/iptables.bak
</code></pre>
<h2 id="&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;"><a name="&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;" class="anchor-navigation-ex-anchor" href="#&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;"><i class="fa fa-link" aria-hidden="true"></i></a>1.5. &#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;</h2>
<p>&#x5047;&#x8BBE;&#x6709;&#x4E09;&#x53F0;&#x4E3B;&#x673A;&#xFF0C;&#x4E00;&#x53F0;&#x5185;&#x7F51;&#x4E3B;&#x673A;&#xFF0C;&#x4E00;&#x53F0;&#x4F5C;&#x4E3A;&#x8DEF;&#x7531;&#xFF0C;&#x53E6;&#x4E00;&#x53F0;&#x4F5C;&#x4E3A;&#x5916;&#x7F51;&#x4E3B;&#x673A;&#xFF0C;&#x5173;&#x7CFB;&#x5982;&#x4E0B;&#xFF08;&#x56FE;&#x6709;&#x70B9;&#x8FA3;&#x9E21;...&#xFF09;&#xFF1A;</p>
<p><a href="https://s2.ax1x.com/2019/12/19/QbmRO0.png" data-lightbox="b4152266-8484-4649-aecd-dd89c96d7b53" data-title="" target="_blank"><img src="https://s2.ax1x.com/2019/12/19/QbmRO0.png" alt=""></a></p>
<p>&#x5B9E;&#x73B0;&#x8BBF;&#x95EE;&#x63A7;&#x5236;&#xFF08;&#x5185;&#x7F51;&#x8BBF;&#x95EE;&#x5916;&#x7F51;&#xFF09;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5173;&#x95ED;&#x5185;&#x7F51;&#x4E3B;&#x673A;&#x8BBF;&#x95EE;&#x5916;&#x7F51;&#x4E3B;&#x673A;</span>
iptables -A FORWARD -j REJECT
<span class="token comment"># &#x5141;&#x8BB8;&#x5185;&#x7F51;&#x4E3B;&#x673A;&#x5BF9;&#x5916;&#x7F51;&#x53D1;&#x51FA;&#x8BF7;&#x6C42;&#x62A5;&#x6587;</span>
iptables -I FORWARD -s <span class="token number">10.19</span>.194.0/24 -p tcp --dport <span class="token number">80</span> -j ACCEPT
<span class="token comment"># &#x5141;&#x8BB8;&#x5185;&#x7F51;&#x4E3B;&#x673A;&#x5BF9;&#x5916;&#x7F51;&#x63A5;&#x6536;&#x8BF7;&#x6C42;&#x62A5;&#x6587;</span>
iptables -I <span class="token number">2</span> FORWARD -s <span class="token number">172.16</span>.122.0/24 -p tcp --sport <span class="token number">80</span> -j ACCEPT
</code></pre>
<h2 id="nat&#x8DEF;&#x7531;"><a name="nat&#x8DEF;&#x7531;" class="anchor-navigation-ex-anchor" href="#nat&#x8DEF;&#x7531;"><i class="fa fa-link" aria-hidden="true"></i></a>1.6. NAT&#x8DEF;&#x7531;</h2>
<p>&#x4EE5;&#x4E0B;&#x7B80;&#x5355;&#x793A;&#x4F8B;&#x501F;&#x52A9;&#x4E8E;<a href="#&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;">&#x7F51;&#x7EDC;&#x9632;&#x706B;&#x5899;</a>&#x7684;&#x62D3;&#x6251;&#x7ED3;&#x6784;.</p>
<h3 id="snat"><a name="snat" class="anchor-navigation-ex-anchor" href="#snat"><i class="fa fa-link" aria-hidden="true"></i></a>1.6.1. SNAT</h3>
<p>This  target is only valid in the <code>nat table</code>, in the <code>POSTROUTING and INPUT</code> chains, and <code>user-defined</code> chains which are only called from those chains.</p>
<p>&#x4F7F;&#x7528;SNAT&#x5185;&#x7F51;&#x8BBF;&#x95EE;&#x5916;&#x7F51;&#x5B9E;&#x73B0;&#x9690;&#x85CF;&#x5185;&#x7F51;&#x4E3B;&#x673A;&#x5730;&#x5740;</p>
<pre class="language-"><code class="lang-bash">iptables - t nat -A POSTROUTING -s <span class="token number">10.19</span>.194.0/24 -j SNAT --to-source <span class="token number">172.16</span>.122.138
</code></pre>
<h3 id="masquerade"><a name="masquerade" class="anchor-navigation-ex-anchor" href="#masquerade"><i class="fa fa-link" aria-hidden="true"></i></a>1.6.2. MASQUERADE</h3>
<p>This  target is only valid in the <code>nat table</code>, in the <code>POSTROUTING</code> chain.  It should only be used with dynamically assigned IP (dialup) connections: <strong>if you have a static IP address, you should use the SNAT target.</strong> </p>
<p>&#x53EF;&#x4EE5;&#x628A;MASQUERADE&#x7406;&#x89E3;&#x4E3A;&#x52A8;&#x6001;&#x7684;&#x3001;&#x81EA;&#x52A8;&#x5316;&#x7684;SNAT&#xFF0C;&#x5982;&#x679C;&#x6CA1;&#x6709;&#x52A8;&#x6001;SNAT&#x7684;&#x9700;&#x6C42;&#xFF0C;&#x6CA1;&#x6709;&#x5FC5;&#x8981;&#x4F7F;&#x7528;MASQUERADE&#xFF0C;&#x56E0;&#x4E3A;SNAT&#x66F4;&#x52A0;&#x9AD8;&#x6548;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x56FA;&#x5B9A;&#x7F51;&#x5361;</span>
iptables -t nat -I POSTROUTING -s <span class="token number">10.19</span>.194.0/24 -o ens37 -j MASQUERADE
</code></pre>
<h3 id="dnat"><a name="dnat" class="anchor-navigation-ex-anchor" href="#dnat"><i class="fa fa-link" aria-hidden="true"></i></a>1.6.3. DNAT</h3>
<p>This target is only valid in the <code>nat table</code>, in the <code>PREROUTING and OUTPUT</code>chains, and <code>user-defined</code> chains which are  only called  from  those  chains.</p>
<p>&#x8BA9;&#x5916;&#x7F51;&#x4E3B;&#x673A;&#x80FD;&#x591F;&#x8BBF;&#x95EE;&#x5185;&#x7F51;&#x4E3B;&#x673A;106&#x7684;web&#x670D;&#x52A1;</p>
<pre class="language-"><code class="lang-bash">iptables - t nat -A PREROUTING -d <span class="token number">10.19</span>.194.0/24 -p tcp --dport <span class="token number">80</span> -j SNAT --to-destination <span class="token number">10.19</span>.194.106
</code></pre>
<h2 id="iptables&#x5B9E;&#x4F8B;"><a name="iptables&#x5B9E;&#x4F8B;" class="anchor-navigation-ex-anchor" href="#iptables&#x5B9E;&#x4F8B;"><i class="fa fa-link" aria-hidden="true"></i></a>1.7. iptables&#x5B9E;&#x4F8B;</h2>
<ol>
<li>&#x4EC5;&#x5141;&#x8BB8;&#x4E00;&#x90E8;&#x5206;&#x4E3B;&#x673A;ping&#x5F53;&#x524D;&#x4E3B;&#x673A;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x524D;&#x63D0;&#x662F;filter&#x8868;&#x7684;INPUT&#x94FE;&#x548C;OUTPUT&#x94FE;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x4E3A;DROP</span>
<span class="token comment"># INPUT&#x94FE;</span>
iptables -A INPUT -s <span class="token number">172.16</span>.122.0/24 -d <span class="token number">172.16</span>.122.135 -p icmp -j ACCEPT
<span class="token comment"># INPUT&#x94FE;</span>
iptables -A OUTPUT -s <span class="token number">172.16</span>.122.135 -d <span class="token number">172.16</span>.122.0/24 -p icmp -j ACCEPT
</code></pre>
<blockquote>
<p>&#x6269;&#x5C55;&#xFF1A;icmp type&#xFF08;&#x5E38;&#x89C1;&#x7684;0&#x548C;8&#xFF09;</p>
<table>
<thead>
<tr>
<th><strong>&#x7C7B;&#x578B;TYPE</strong></th>
<th>&#x7528;&#x9014;&#x63CF;&#x8FF0; Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>0</td>
<td>Echo Reply&#x2014;&#x2014;&#x56DE;&#x663E;&#x5E94;&#x7B54;&#xFF08;Ping&#x5E94;&#x7B54;&#xFF09;</td>
</tr>
<tr>
<td>8</td>
<td>Echo request&#x2014;&#x2014;&#x56DE;&#x663E;&#x8BF7;&#x6C42;&#xFF08;Ping&#x8BF7;&#x6C42;&#xFF09;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>&#x56E0;&#x6B64;&#xFF0C;&#x6211;&#x4EEC;&#x53EF;&#x4EE5;&#x501F;&#x52A9;<code>icmp type</code>&#x6765;&#x5B9E;&#x73B0;&#x81EA;&#x5DF1;&#x53EF;&#x4EE5;ping&#x522B;&#x4EBA;&#xFF0C;&#x4F46;&#x522B;&#x4EBA;ping&#x4E0D;&#x5230;&#x81EA;&#x5DF1;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x9ED8;&#x8BA4;&#x89C4;&#x5219;&#x7B56;&#x7565;&#x4E3A;DROP</span>
iptables -I OUTPUT <span class="token number">2</span> -s <span class="token number">172.16</span>.122.135 -p icmp --icmp-type <span class="token number">8</span> -j ACCEPT
iptables -I INPUT <span class="token number">2</span> -d <span class="token number">172.16</span>.122.135 -p icmp --icmp-type <span class="token number">0</span> -j ACCEPT
</code></pre>
<ol>
<li>&#x4EC5;&#x5F00;&#x653E;&#x672C;&#x673A;&#x7684;ssh&#x670D;&#x52A1;&#x7ED9;&#x6307;&#x5B9A;&#x7F51;&#x7EDC;</li>
</ol>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x524D;&#x63D0;&#x662F;filter&#x8868;&#x7684;INPUT&#x94FE;&#x548C;OUTPUT&#x94FE;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x4E3A;DROP</span>
<span class="token comment"># INPUT&#x94FE;</span>
iptables -A INPUT -s <span class="token number">172.16</span>.122.0/24  -d <span class="token number">172.16</span>.122.135  -p tcp --dport <span class="token number">22</span> -j ACCEPT
<span class="token comment"># OUTPUT&#x94FE;</span>
iptables -A OUTPUT -s <span class="token number">172.16</span>.122.135  -d <span class="token number">172.16</span>.122.0/24 -p tcp --sport <span class="token number">22</span>  -j ACCEPT
</code></pre>
<ol>
<li>iptables&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x7684;&#x4F18;&#x5316;</li>
</ol>
<p>&#x5982;&#x679C;&#x5C06;filter&#x8868;&#x7684;<code>INPUT</code>&#x6216;<code>OUTPUT</code>&#x94FE;&#x9ED8;&#x8BA4;&#x7B56;&#x7565;&#x6539;&#x4E3A;<code>DROP</code>&#x767D;&#x540D;&#x5355;&#x6A21;&#x5F0F;&#x7684;&#x8BDD;&#xFF0C;&#x67D0;&#x4E00;&#x5929;&#x4F60;&#x4E0D;&#x5C0F;&#x5FC3;&#x4F7F;&#x7528;&#x4E86;<code>-F</code>&#x8FD9;&#x4E2A;&#x5371;&#x9669;&#x7684;&#x9009;&#x9879;&#x5C06;&#x89C4;&#x5219;&#x5168;&#x90E8;&#x6E05;&#x7A7A;&#x4E86;&#xFF0C;&#x90A3;&#x8FD9;&#x65F6;&#x4F60;&#x5C31;&#x65E0;&#x6CD5;&#x8FDC;&#x7A0B;&#x8BBF;&#x95EE;&#x5230;&#x4F60;&#x7684;&#x4E3B;&#x673A;&#x4E86;&#xFF0C;&#x6240;&#x4EE5;&#x4E3A;&#x4E86;&#x89E3;&#x51B3;&#x8FD9;&#x4E2A;&#x95EE;&#x9898;&#xFF0C;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;&#x4EE5;&#x4E0B;&#x65B9;&#x6CD5;&#xFF1A;</p>
<pre class="language-"><code class="lang-bash"><span class="token comment"># &#x5C06;INPUT&#x94FE;&#x548C;OUTPUT&#x94FE;&#x7684;&#x9ED8;&#x8BA4;&#x89C4;&#x5219;&#x6539;&#x4E3A;ACCEPT</span>
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
<span class="token comment"># &#x5C06;INPUT&#x94FE;&#x548C;OUTPUT&#x94FE;&#x7684;&#x6700;&#x540E;&#x4E00;&#x6761;&#x89C4;&#x5219;&#x6539;&#x4E3A;&#x7981;&#x6B62;</span>
iptables -A INPUT -d <span class="token number">172.16</span>.122.135 -j DROP
iptables -A OUTPUT -s <span class="token number">172.16</span>.122.135 -j DROP
<span class="token comment"># &#x5982;&#x679C;&#x4F60;&#x7684;&#x672C;&#x673A;&#x6709;&#x591A;&#x4E2A;ip&#x5730;&#x5740;&#x7684;&#x8BDD;&#xFF0C;&#x53EF;&#x4EE5;&#x4F7F;&#x7528;&#x7F51;&#x5361;&#x6765;&#x5199;&#x89C4;&#x5219;</span>
iptables -A INPUT -i ens33 -j DROP
iptables -A OUTPUT -o ens33  -j DROP
</code></pre>
<p>&#x8FD9;&#x6837;&#x4FEE;&#x6539;&#x7684;&#x597D;&#x5904;&#x6709;&#x5F53;&#x4F60;&#x4E0D;&#x5C0F;&#x5FC3;&#x6E05;&#x7A7A;&#x89C4;&#x5219;&#x540E;&#xFF0C;&#x8FD8;&#x80FD;&#x591F;&#x8FDE;&#x63A5;&#x5230;&#x8FDC;&#x7A0B;&#x4E3B;&#x673A;&#xFF0C;&#x6B64;&#x5916;&#xFF0C;&#x8FD8;&#x53EF;&#x4EE5;&#x76F4;&#x63A5;&#x4F7F;&#x7528;&#x672C;&#x5730;&#x56DE;&#x73AF;&#x5730;&#x5740;&#x800C;&#x65E0;&#x9700;&#x65B0;&#x589E;&#x89C4;&#x5219;.</p>
<p>&#x53C2;&#x8003;&#x8D44;&#x6599;&#xFF1A;</p>
<p><a href="https://linux.die.net/man/8/iptables" target="_blank">https://linux.die.net/man/8/iptables</a></p>
<p><a href="http://www.zsythink.net/" target="_blank">http://www.zsythink.net/</a></p>
<footer class="page-footer"><span class="copyright">Copyright &#xA9; AGou 2020 all right reserved&#xFF0C;powered by Gitbook</span><span class="footer-modification">&#x8BE5;&#x6587;&#x4EF6;&#x4FEE;&#x8BA2;&#x65F6;&#x95F4;&#xFF1A;
2020-03-02 20:42:24
</span></footer>
                                
                                </section>
                            
    </div>
    <div class="search-results">
        <div class="has-results">
            
            <h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
            <ul class="search-results-list"></ul>
            
        </div>
        <div class="no-results">
            
            <h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
            
        </div>
    </div>
</div>

                        </div>
                    </div>
                
            </div>

            
                
                <a href="SElinux.html" class="navigation navigation-prev " aria-label="Previous page: SELinux">
                    <i class="fa fa-angle-left"></i>
                </a>
                
                
                <a href="Linux_shell.html" class="navigation navigation-next " aria-label="Next page: Linux Shell">
                    <i class="fa fa-angle-right"></i>
                </a>
                
            
        
    </div>

    <script>
        var gitbook = gitbook || [];
        gitbook.push(function() {
            gitbook.page.hasChanged({"page":{"title":"iptables","level":"1.4.12","depth":2,"next":{"title":"Linux Shell","level":"1.4.13","depth":2,"path":"Linux/Linux_shell.md","ref":"Linux/Linux_shell.md","articles":[]},"previous":{"title":"SELinux","level":"1.4.11","depth":2,"path":"Linux/SElinux.md","ref":"Linux/SElinux.md","articles":[]},"dir":"ltr"},"config":{"plugins":["github@^2.0.0","edit-link@^2.0.2","anchors@^0.7.1","include-codeblock@^3.0.2","tbfed-pagefooter@^0.0.1","expandable-chapters-small@^0.1.7","anchor-navigation-ex@0.1.8","prism","-highlight","insert-logo","-lunr","-search","search-pro","splitter","lightbox","github-buttons","-sharing","sharing-plus","donate","code","-klipse","livereload"],"root":".","styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"pluginsConfig":{"tbfed-pagefooter":{"copyright":"Copyright © AGou 2020","modify_label":"该文件修订时间：","modify_format":"YYYY-MM-DD HH:mm:ss"},"prism":{"css":["prismjs/themes/prism-tomorrow.css"]},"github":{"url":"https://github.com/AGou-ops"},"livereload":{},"splitter":{},"search-pro":{},"sharing-plus":{"qq":false,"all":["facebook","google","twitter","instapaper","linkedin","pocket","stumbleupon"],"douban":false,"facebook":true,"weibo":false,"instapaper":false,"whatsapp":false,"hatenaBookmark":false,"twitter":true,"messenger":false,"line":false,"vk":false,"pocket":true,"google":false,"viber":false,"stumbleupon":false,"qzone":false,"linkedin":false},"code":{"copyButtons":true},"donate":{"alipay":"https://agou-ops.github.io/images/alipay.png","alipayText":"支付宝打赏","button":"打赏","title":"","wechat":"https://agou-ops.github.io/images/wechatpay.png","wechatText":"微信打赏"},"fontsettings":{"theme":"white","family":"sans","size":2},"anchor-navigation-ex":{"isRewritePageTitle":true,"tocLevel1Icon":"fa fa-hand-o-right","tocLevel2Icon":"fa fa-hand-o-right","tocLevel3Icon":"fa fa-hand-o-right"},"lightbox":{"jquery":true,"sameUuid":false},"github-buttons":{"repo":"AGou-ops/myStudyNote","types":["star","watch","fork"],"size":"small"},"expandable-chapters-small":{},"include-codeblock":{"check":false,"edit":true,"fixlang":false,"lang":"","template":"ace","theme":"chrome","unindent":true},"sharing":{"qq":true,"all":["douban","facebook","google","hatenaBookmark","instapaper","linkedin","twitter","weibo","messenger","qq","qzone","viber","vk","weibo","pocket","stumbleupon","whatsapp"],"douban":false,"facebook":false,"weibo":true,"instapaper":false,"whatsapp":false,"hatenaBookmark":false,"twitter":false,"messenger":false,"line":false,"vk":false,"pocket":false,"google":false,"viber":false,"stumbleupon":false,"qzone":true,"linkedin":false},"edit-link":{"label":"Edit This Page","base":"https://github.com/AGou-ops/myStudyNote"},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":true},"anchors":{},"insert-logo":{"style":"background: none; max-height: 50px; min-height: 50px","url":"https://s2.ax1x.com/2019/12/10/QBD0xO.jpg"}},"theme":"default","author":"AGou","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{},"title":"AGou's StudyNote","language":"zh-hans","output.name":"site","links":{"sidebar":{"◆点击进入我的个人博客":"http://agou-ops.github.io"}},"gitbook":"3.2.3","description":"岂能尽如人意，但求无愧我心。"},"file":{"path":"Linux/iptables.md","mtime":"2020-03-02T12:42:24.292Z","type":"markdown"},"gitbook":{"version":"3.2.3","time":"2020-03-02T12:42:32.383Z"},"basePath":"..","book":{"language":""}});
        });
    </script>
</div>

        
    <script src="../gitbook/gitbook.js"></script>
    <script src="../gitbook/theme.js"></script>
    
        
        <script src="../gitbook/gitbook-plugin-github/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-edit-link/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-expandable-chapters-small/expandable-chapters-small.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-insert-logo/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-search-pro/jquery.mark.min.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-search-pro/search.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-splitter/splitter.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-lightbox/js/lightbox.min.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-github-buttons/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-sharing-plus/buttons.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-donate/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-code/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-livereload/plugin.js"></script>
        
    
        
        <script src="../gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
        
    

    </body>
</html>

